2 # -*- coding: utf-8 -*-
3 # This is a port of the original in testprogs/ejs/ldap.js
11 sys.path.append("bin/python")
13 samba.ensure_external_module("subunit", "subunit/python")
14 samba.ensure_external_module("testtools", "testtools")
16 import samba.getopt as options
18 from samba.auth import system_session
19 from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError
20 from ldb import ERR_NO_SUCH_OBJECT, ERR_ATTRIBUTE_OR_VALUE_EXISTS
21 from ldb import ERR_ENTRY_ALREADY_EXISTS, ERR_UNWILLING_TO_PERFORM
22 from ldb import ERR_NOT_ALLOWED_ON_NON_LEAF, ERR_OTHER, ERR_INVALID_DN_SYNTAX
23 from ldb import ERR_NO_SUCH_ATTRIBUTE
24 from ldb import ERR_OBJECT_CLASS_VIOLATION, ERR_NOT_ALLOWED_ON_RDN
25 from ldb import ERR_NAMING_VIOLATION, ERR_CONSTRAINT_VIOLATION
26 from ldb import ERR_UNDEFINED_ATTRIBUTE_TYPE
27 from ldb import Message, MessageElement, Dn
28 from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE
30 from samba.dsdb import (UF_NORMAL_ACCOUNT, UF_INTERDOMAIN_TRUST_ACCOUNT,
31 UF_WORKSTATION_TRUST_ACCOUNT, UF_SERVER_TRUST_ACCOUNT,
32 UF_PARTIAL_SECRETS_ACCOUNT,
33 UF_PASSWD_NOTREQD, UF_ACCOUNTDISABLE, ATYPE_NORMAL_ACCOUNT,
34 ATYPE_WORKSTATION_TRUST, SYSTEM_FLAG_DOMAIN_DISALLOW_MOVE)
35 from samba.dcerpc.security import (DOMAIN_RID_USERS, DOMAIN_RID_DOMAIN_MEMBERS,
36 DOMAIN_RID_DCS, DOMAIN_RID_READONLY_DCS)
38 from subunit.run import SubunitTestRunner
41 from samba.ndr import ndr_pack, ndr_unpack
42 from samba.dcerpc import security
44 parser = optparse.OptionParser("ldap [options] <host>")
45 sambaopts = options.SambaOptions(parser)
46 parser.add_option_group(sambaopts)
47 parser.add_option_group(options.VersionOptions(parser))
48 # use command line creds if available
49 credopts = options.CredentialsOptions(parser)
50 parser.add_option_group(credopts)
51 opts, args = parser.parse_args()
59 lp = sambaopts.get_loadparm()
60 creds = credopts.get_credentials(lp)
62 class BasicTests(unittest.TestCase):
64 def delete_force(self, ldb, dn):
67 except LdbError, (num, _):
68 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
70 def find_basedn(self, ldb):
71 res = ldb.search(base="", expression="", scope=SCOPE_BASE,
72 attrs=["defaultNamingContext"])
73 self.assertEquals(len(res), 1)
74 return res[0]["defaultNamingContext"][0]
76 def find_configurationdn(self, ldb):
77 res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["configurationNamingContext"])
78 self.assertEquals(len(res), 1)
79 return res[0]["configurationNamingContext"][0]
81 def find_schemadn(self, ldb):
82 res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["schemaNamingContext"])
83 self.assertEquals(len(res), 1)
84 return res[0]["schemaNamingContext"][0]
86 def find_domain_sid(self):
87 res = self.ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE)
88 return ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
91 super(BasicTests, self).setUp()
94 self.base_dn = self.find_basedn(ldb)
95 self.configuration_dn = self.find_configurationdn(ldb)
96 self.schema_dn = self.find_schemadn(ldb)
97 self.domain_sid = self.find_domain_sid()
99 print "baseDN: %s\n" % self.base_dn
101 self.delete_force(self.ldb, "cn=posixuser,cn=users," + self.base_dn)
102 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
103 self.delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn)
104 self.delete_force(self.ldb, "cn=ldaptestuser3,cn=users," + self.base_dn)
105 self.delete_force(self.ldb, "cn=ldaptestuser4,cn=ldaptestcontainer," + self.base_dn)
106 self.delete_force(self.ldb, "cn=ldaptestuser4,cn=ldaptestcontainer2," + self.base_dn)
107 self.delete_force(self.ldb, "cn=ldaptestuser5,cn=users," + self.base_dn)
108 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
109 self.delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
110 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
111 self.delete_force(self.ldb, "cn=ldaptest2computer,cn=computers," + self.base_dn)
112 self.delete_force(self.ldb, "cn=ldaptestcomputer3,cn=computers," + self.base_dn)
113 self.delete_force(self.ldb, "cn=ldaptestutf8user èùéìòà,cn=users," + self.base_dn)
114 self.delete_force(self.ldb, "cn=ldaptestutf8user2 èùéìòà,cn=users," + self.base_dn)
115 self.delete_force(self.ldb, "cn=ldaptestcontainer," + self.base_dn)
116 self.delete_force(self.ldb, "cn=ldaptestcontainer2," + self.base_dn)
117 self.delete_force(self.ldb, "cn=parentguidtest,cn=users," + self.base_dn)
118 self.delete_force(self.ldb, "cn=parentguidtest,cn=testotherusers," + self.base_dn)
119 self.delete_force(self.ldb, "cn=testotherusers," + self.base_dn)
120 self.delete_force(self.ldb, "cn=ldaptestobject," + self.base_dn)
121 self.delete_force(self.ldb, "description=xyz,cn=users," + self.base_dn)
122 self.delete_force(self.ldb, "ou=testou,cn=users," + self.base_dn)
123 self.delete_force(self.ldb, "cn=testsecret,cn=system," + self.base_dn)
125 def test_objectclasses(self):
126 """Test objectClass behaviour"""
127 print "Test objectClass behaviour"""
129 # We cannot create LSA-specific objects (oc "secret" or "trustedDomain")
132 "dn": "cn=testsecret,cn=system," + self.base_dn,
133 "objectClass": "secret" })
135 except LdbError, (num, _):
136 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
138 # Invalid objectclass specified
141 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
142 "objectClass": "X" })
144 except LdbError, (num, _):
145 self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE)
147 # Invalid objectCategory specified
150 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
151 "objectClass": "person",
152 "objectCategory": self.base_dn })
154 except LdbError, (num, _):
155 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
157 # Multi-valued "systemFlags"
160 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
161 "objectClass": "person",
162 "systemFlags": ["0", str(SYSTEM_FLAG_DOMAIN_DISALLOW_MOVE)] })
164 except LdbError, (num, _):
165 self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
167 # We cannot instanciate from an abstract objectclass
170 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
171 "objectClass": "connectionPoint" })
173 except LdbError, (num, _):
174 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
177 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
178 "objectClass": "person" })
180 # We can remove derivation classes of the structural objectclass
181 # but they're going to be readded afterwards
183 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
184 m["objectClass"] = MessageElement("top", FLAG_MOD_DELETE,
188 res = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
189 scope=SCOPE_BASE, attrs=["objectClass"])
190 self.assertTrue(len(res) == 1)
191 self.assertTrue("top" in res[0]["objectClass"])
193 # The top-most structural class cannot be deleted since there are
194 # attributes of it in use
196 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
197 m["objectClass"] = MessageElement("person", FLAG_MOD_DELETE,
202 except LdbError, (num, _):
203 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
205 # We cannot delete classes which weren't specified
207 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
208 m["objectClass"] = MessageElement("computer", FLAG_MOD_DELETE,
213 except LdbError, (num, _):
214 self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE)
216 # An invalid class cannot be added
218 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
219 m["objectClass"] = MessageElement("X", FLAG_MOD_ADD,
224 except LdbError, (num, _):
225 self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE)
227 # The top-most structural class cannot be changed by adding another
230 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
231 m["objectClass"] = MessageElement("user", FLAG_MOD_ADD,
236 except LdbError, (num, _):
237 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
239 # An already specified objectclass cannot be added another time
241 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
242 m["objectClass"] = MessageElement("person", FLAG_MOD_ADD,
247 except LdbError, (num, _):
248 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
250 # Auxiliary classes can always be added
252 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
253 m["objectClass"] = MessageElement("bootableDevice", FLAG_MOD_ADD,
257 # It's only possible to replace with the same objectclass combination.
258 # So the replace action on "objectClass" attributes is really useless.
260 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
261 m["objectClass"] = MessageElement(["top", "person", "bootableDevice"],
262 FLAG_MOD_REPLACE, "objectClass")
266 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
267 m["objectClass"] = MessageElement(["person", "bootableDevice"],
268 FLAG_MOD_REPLACE, "objectClass")
272 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
273 m["objectClass"] = MessageElement(["top", "person", "bootableDevice",
274 "connectionPoint"], FLAG_MOD_REPLACE, "objectClass")
278 except LdbError, (num, _):
279 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
282 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
283 m["objectClass"] = MessageElement(["top", "computer"], FLAG_MOD_REPLACE,
288 except LdbError, (num, _):
289 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
291 # Classes can be removed unless attributes of them are used.
293 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
294 m["objectClass"] = MessageElement("bootableDevice", FLAG_MOD_DELETE,
298 res = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
299 scope=SCOPE_BASE, attrs=["objectClass"])
300 self.assertTrue(len(res) == 1)
301 self.assertFalse("bootableDevice" in res[0]["objectClass"])
304 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
305 m["objectClass"] = MessageElement("bootableDevice", FLAG_MOD_ADD,
309 # Add an attribute specific to the "bootableDevice" class
311 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
312 m["bootParameter"] = MessageElement("test", FLAG_MOD_ADD,
316 # Classes can be removed unless attributes of them are used. Now there
317 # exist such attributes on the entry.
319 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
320 m["objectClass"] = MessageElement("bootableDevice", FLAG_MOD_DELETE,
325 except LdbError, (num, _):
326 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
328 # Remove the previously specified attribute
330 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
331 m["bootParameter"] = MessageElement("test", FLAG_MOD_DELETE,
335 # Classes can be removed unless attributes of them are used.
337 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
338 m["objectClass"] = MessageElement("bootableDevice", FLAG_MOD_DELETE,
342 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
344 def test_system_only(self):
345 """Test systemOnly objects"""
346 print "Test systemOnly objects"""
350 "dn": "cn=ldaptestobject," + self.base_dn,
351 "objectclass": "configuration"})
353 except LdbError, (num, _):
354 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
358 "dn": "cn=testsecret,cn=system," + self.base_dn,
359 "objectclass": "secret"})
361 except LdbError, (num, _):
362 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
364 self.delete_force(self.ldb, "cn=ldaptestobject," + self.base_dn)
365 self.delete_force(self.ldb, "cn=testsecret,cn=system," + self.base_dn)
367 def test_invalid_parent(self):
368 """Test adding an object with invalid parent"""
369 print "Test adding an object with invalid parent"""
373 "dn": "cn=ldaptestgroup,cn=thisdoesnotexist123,"
375 "objectclass": "group"})
377 except LdbError, (num, _):
378 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
380 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=thisdoesnotexist123,"
385 "dn": "ou=testou,cn=users," + self.base_dn,
386 "objectclass": "organizationalUnit"})
388 except LdbError, (num, _):
389 self.assertEquals(num, ERR_NAMING_VIOLATION)
391 self.delete_force(self.ldb, "ou=testou,cn=users," + self.base_dn)
393 def test_invalid_attribute(self):
394 """Test invalid attributes on schema/objectclasses"""
395 print "Test invalid attributes on schema/objectclasses"""
397 # attributes not in schema test
403 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
404 "objectclass": "group",
405 "thisdoesnotexist": "x"})
407 except LdbError, (num, _):
408 self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE)
411 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
412 "objectclass": "group"})
417 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
418 m["thisdoesnotexist"] = MessageElement("x", FLAG_MOD_REPLACE,
423 except LdbError, (num, _):
424 self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE)
426 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
428 # attributes not in objectclasses and mandatory attributes missing test
429 # Use here a non-SAM entry since it doesn't have special triggers
430 # associated which have an impact on the error results.
434 # mandatory attribute missing
437 "dn": "cn=ldaptestobject," + self.base_dn,
438 "objectclass": "ipProtocol"})
440 except LdbError, (num, _):
441 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
443 # inadequate but schema-valid attribute specified
446 "dn": "cn=ldaptestobject," + self.base_dn,
447 "objectclass": "ipProtocol",
448 "ipProtocolNumber": "1",
451 except LdbError, (num, _):
452 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
455 "dn": "cn=ldaptestobject," + self.base_dn,
456 "objectclass": "ipProtocol",
457 "ipProtocolNumber": "1"})
461 # inadequate but schema-valid attribute add trial
463 m.dn = Dn(ldb, "cn=ldaptestobject," + self.base_dn)
464 m["uid"] = MessageElement("0", FLAG_MOD_ADD, "uid")
468 except LdbError, (num, _):
469 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
471 # mandatory attribute delete trial
473 m.dn = Dn(ldb, "cn=ldaptestobject," + self.base_dn)
474 m["ipProtocolNumber"] = MessageElement([], FLAG_MOD_DELETE,
479 except LdbError, (num, _):
480 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
482 # mandatory attribute delete trial
484 m.dn = Dn(ldb, "cn=ldaptestobject," + self.base_dn)
485 m["ipProtocolNumber"] = MessageElement([], FLAG_MOD_REPLACE,
490 except LdbError, (num, _):
491 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
493 self.delete_force(self.ldb, "cn=ldaptestobject," + self.base_dn)
495 def test_single_valued_attributes(self):
496 """Test single-valued attributes"""
497 print "Test single-valued attributes"""
501 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
502 "objectclass": "group",
503 "sAMAccountName": ["nam1", "nam2"]})
505 except LdbError, (num, _):
506 self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
509 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
510 "objectclass": "group"})
513 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
514 m["sAMAccountName"] = MessageElement(["nam1","nam2"], FLAG_MOD_REPLACE,
519 except LdbError, (num, _):
520 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
523 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
524 m["sAMAccountName"] = MessageElement("testgroupXX", FLAG_MOD_REPLACE,
529 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
530 m["sAMAccountName"] = MessageElement("testgroupXX2", FLAG_MOD_ADD,
535 except LdbError, (num, _):
536 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
538 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
540 def test_multi_valued_attributes(self):
541 """Test multi-valued attributes"""
542 print "Test multi-valued attributes"""
544 # TODO: In this test I added some special tests where I got very unusual
545 # results back from a real AD. s4 doesn't match them and I've no idea how to
546 # implement those error cases (maybe there exists a special trigger for
547 # "description" attributes which handle them)
550 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
551 "description": "desc2",
552 "objectclass": "group",
553 "description": "desc1"})
555 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
558 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
559 "objectclass": "group",
560 "description": ["desc1", "desc2"]})
563 # m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
564 # m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE,
569 # except LdbError, (num, _):
570 # self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
573 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
574 m["description"] = MessageElement("desc1", FLAG_MOD_REPLACE,
579 # m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
580 # m["description"] = MessageElement("desc3", FLAG_MOD_ADD,
585 # except LdbError, (num, _):
586 # self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
589 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
590 m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_DELETE,
595 except LdbError, (num, _):
596 self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE)
599 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
600 m["description"] = MessageElement("desc1", FLAG_MOD_DELETE,
605 # m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
606 # m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE,
611 # except LdbError, (num, _):
612 # self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
615 # m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
616 # m["description"] = MessageElement(["desc3", "desc4"], FLAG_MOD_ADD,
621 # except LdbError, (num, _):
622 # self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
625 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
626 m["description"] = MessageElement("desc3", FLAG_MOD_ADD,
630 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
632 def test_empty_messages(self):
633 """Test empty messages"""
634 print "Test empty messages"""
637 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
642 except LdbError, (num, _):
643 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
648 except LdbError, (num, _):
649 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
651 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
653 def test_empty_attributes(self):
654 """Test empty attributes"""
655 print "Test empty attributes"""
658 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
659 m["objectClass"] = MessageElement("group", FLAG_MOD_ADD, "objectClass")
660 m["description"] = MessageElement([], FLAG_MOD_ADD, "description")
665 except LdbError, (num, _):
666 self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
669 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
670 "objectclass": "group"})
673 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
674 m["description"] = MessageElement([], FLAG_MOD_ADD, "description")
679 except LdbError, (num, _):
680 self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
683 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
684 m["description"] = MessageElement([], FLAG_MOD_REPLACE, "description")
688 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
689 m["description"] = MessageElement([], FLAG_MOD_DELETE, "description")
693 except LdbError, (num, _):
694 self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE)
696 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
698 def test_instanceType(self):
699 """Tests the 'instanceType' attribute"""
700 print "Tests the 'instanceType' attribute"""
702 # The instance type is single-valued
705 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
706 "objectclass": "group",
707 "instanceType": ["0", "1"]})
709 except LdbError, (num, _):
710 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
712 # The head NC flag cannot be set without the write flag
715 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
716 "objectclass": "group",
717 "instanceType": "1" })
719 except LdbError, (num, _):
720 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
722 # We cannot manipulate NCs without the head NC flag
725 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
726 "objectclass": "group",
727 "instanceType": "32" })
729 except LdbError, (num, _):
730 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
733 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
734 "objectclass": "group"})
737 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
738 m["instanceType"] = MessageElement("0", FLAG_MOD_REPLACE,
743 except LdbError, (num, _):
744 self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
747 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
748 m["instanceType"] = MessageElement([], FLAG_MOD_REPLACE,
753 except LdbError, (num, _):
754 self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
757 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
758 m["instanceType"] = MessageElement([], FLAG_MOD_DELETE, "instanceType")
762 except LdbError, (num, _):
763 self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
765 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
767 def test_distinguished_name(self):
768 """Tests the 'distinguishedName' attribute"""
769 print "Tests the 'distinguishedName' attribute"""
771 # a wrong "distinguishedName" attribute is obviously tolerated
773 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
774 "objectclass": "group",
775 "distinguishedName": "cn=ldaptest,cn=users," + self.base_dn})
777 # proof if the DN has been set correctly
778 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
779 scope=SCOPE_BASE, attrs=["distinguishedName"])
780 self.assertTrue(len(res) == 1)
781 self.assertTrue("distinguishedName" in res[0])
782 self.assertTrue(Dn(ldb, res[0]["distinguishedName"][0])
783 == Dn(ldb, "cn=ldaptestgroup, cn=users," + self.base_dn))
786 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
787 m["distinguishedName"] = MessageElement(
788 "cn=ldaptestuser,cn=users," + self.base_dn, FLAG_MOD_ADD,
794 except LdbError, (num, _):
795 self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
798 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
799 m["distinguishedName"] = MessageElement(
800 "cn=ldaptestuser,cn=users," + self.base_dn, FLAG_MOD_REPLACE,
806 except LdbError, (num, _):
807 self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
810 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
811 m["distinguishedName"] = MessageElement(
812 "cn=ldaptestuser,cn=users," + self.base_dn, FLAG_MOD_DELETE,
818 except LdbError, (num, _):
819 self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
821 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
823 def test_rdn_name(self):
825 print "Tests the RDN"""
829 "dn": "description=xyz,cn=users," + self.base_dn,
830 "objectclass": "group"})
832 except LdbError, (num, _):
833 self.assertEquals(num, ERR_NAMING_VIOLATION)
835 self.delete_force(self.ldb, "description=xyz,cn=users," + self.base_dn)
837 # a wrong "name" attribute is obviously tolerated
839 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
840 "objectclass": "group",
841 "name": "ldaptestgroupx"})
843 # proof if the name has been set correctly
844 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
845 scope=SCOPE_BASE, attrs=["name"])
846 self.assertTrue(len(res) == 1)
847 self.assertTrue("name" in res[0])
848 self.assertTrue(res[0]["name"][0] == "ldaptestgroup")
851 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
852 m["name"] = MessageElement("cn=ldaptestuser", FLAG_MOD_REPLACE,
857 except LdbError, (num, _):
858 self.assertEquals(num, ERR_NOT_ALLOWED_ON_RDN)
861 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
862 m["cn"] = MessageElement("ldaptestuser",
863 FLAG_MOD_REPLACE, "cn")
867 except LdbError, (num, _):
868 self.assertEquals(num, ERR_NOT_ALLOWED_ON_RDN)
870 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
873 # this test needs to be disabled until we really understand
874 # what the rDN length constraints are
875 def DISABLED_test_largeRDN(self):
876 """Testing large rDN (limit 64 characters)"""
877 rdn = "CN=a012345678901234567890123456789012345678901234567890123456789012";
878 self.delete_force(self.ldb, "%s,%s" % (rdn, self.base_dn))
880 dn: %s,%s""" % (rdn,self.base_dn) + """
881 objectClass: container
883 self.ldb.add_ldif(ldif)
884 self.delete_force(self.ldb, "%s,%s" % (rdn, self.base_dn))
886 rdn = "CN=a0123456789012345678901234567890123456789012345678901234567890120";
887 self.delete_force(self.ldb, "%s,%s" % (rdn, self.base_dn))
890 dn: %s,%s""" % (rdn,self.base_dn) + """
891 objectClass: container
893 self.ldb.add_ldif(ldif)
895 except LdbError, (num, _):
896 self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
897 self.delete_force(self.ldb, "%s,%s" % (rdn, self.base_dn))
899 def test_rename(self):
900 """Tests the rename operation"""
901 print "Tests the rename operations"""
904 # cannot rename to be a child of itself
905 ldb.rename(self.base_dn, "dc=test," + self.base_dn)
907 except LdbError, (num, _):
908 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
912 ldb.rename("cn=ldaptestuser2,cn=users," + self.base_dn, "cn=ldaptestuser2,cn=users," + self.base_dn)
914 except LdbError, (num, _):
915 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
918 "dn": "cn=ldaptestuser2,cn=users," + self.base_dn,
919 "objectclass": ["user", "person"] })
921 ldb.rename("cn=ldaptestuser2,cn=users," + self.base_dn, "cn=ldaptestuser2,cn=users," + self.base_dn)
922 ldb.rename("cn=ldaptestuser2,cn=users," + self.base_dn, "cn=ldaptestuser3,cn=users," + self.base_dn)
923 ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestUSER3,cn=users," + self.base_dn)
926 # containment problem: a user entry cannot contain user entries
927 ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestuser4,cn=ldaptestuser3,cn=users," + self.base_dn)
929 except LdbError, (num, _):
930 self.assertEquals(num, ERR_NAMING_VIOLATION)
934 ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestuser3,cn=people,cn=users," + self.base_dn)
936 except LdbError, (num, _):
937 self.assertEquals(num, ERR_OTHER)
940 # invalid target DN syntax
941 ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, ",cn=users," + self.base_dn)
943 except LdbError, (num, _):
944 self.assertEquals(num, ERR_INVALID_DN_SYNTAX)
948 ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "ou=ldaptestuser3,cn=users," + self.base_dn)
950 except LdbError, (num, _):
951 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
953 self.delete_force(self.ldb, "cn=ldaptestuser3,cn=users," + self.base_dn)
955 # Performs some "systemFlags" testing
957 # Move failing since no "SYSTEM_FLAG_CONFIG_ALLOW_MOVE"
959 ldb.rename("CN=DisplaySpecifiers," + self.configuration_dn, "CN=DisplaySpecifiers,CN=Services," + self.configuration_dn)
961 except LdbError, (num, _):
962 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
964 # Limited move failing since no "SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVE"
966 ldb.rename("CN=Directory Service,CN=Windows NT,CN=Services," + self.configuration_dn, "CN=Directory Service,CN=RRAS,CN=Services," + self.configuration_dn)
968 except LdbError, (num, _):
969 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
971 # Rename failing since no "SYSTEM_FLAG_CONFIG_ALLOW_RENAME"
973 ldb.rename("CN=DisplaySpecifiers," + self.configuration_dn, "CN=DisplaySpecifiers2," + self.configuration_dn)
975 except LdbError, (num, _):
976 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
978 # It's not really possible to test moves on the schema partition since
979 # there don't exist subcontainers on it.
981 # Rename failing since "SYSTEM_FLAG_SCHEMA_BASE_OBJECT"
983 ldb.rename("CN=Top," + self.schema_dn, "CN=Top2," + self.schema_dn)
985 except LdbError, (num, _):
986 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
988 # Move failing since "SYSTEM_FLAG_DOMAIN_DISALLOW_MOVE"
990 ldb.rename("CN=Users," + self.base_dn, "CN=Users,CN=Computers," + self.base_dn)
992 except LdbError, (num, _):
993 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
995 # Rename failing since "SYSTEM_FLAG_DOMAIN_DISALLOW_RENAME"
997 ldb.rename("CN=Users," + self.base_dn, "CN=Users2," + self.base_dn)
999 except LdbError, (num, _):
1000 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1002 # Performs some other constraints testing
1005 ldb.rename("CN=Policies,CN=System," + self.base_dn, "CN=Users2," + self.base_dn)
1007 except LdbError, (num, _):
1008 self.assertEquals(num, ERR_OTHER)
1010 def test_rename_twice(self):
1011 """Tests the rename operation twice - this corresponds to a past bug"""
1012 print "Tests the rename twice operation"""
1015 "dn": "cn=ldaptestuser5,cn=users," + self.base_dn,
1016 "objectclass": ["user", "person"] })
1018 ldb.rename("cn=ldaptestuser5,cn=users," + self.base_dn, "cn=ldaptestUSER5,cn=users," + self.base_dn)
1019 self.delete_force(self.ldb, "cn=ldaptestuser5,cn=users," + self.base_dn)
1021 "dn": "cn=ldaptestuser5,cn=users," + self.base_dn,
1022 "objectclass": ["user", "person"] })
1023 ldb.rename("cn=ldaptestuser5,cn=Users," + self.base_dn, "cn=ldaptestUSER5,cn=users," + self.base_dn)
1024 res = ldb.search(expression="cn=ldaptestuser5")
1025 print "Found %u records" % len(res)
1026 self.assertEquals(len(res), 1, "Wrong number of hits for cn=ldaptestuser5")
1027 res = ldb.search(expression="(&(cn=ldaptestuser5)(objectclass=user))")
1028 print "Found %u records" % len(res)
1029 self.assertEquals(len(res), 1, "Wrong number of hits for (&(cn=ldaptestuser5)(objectclass=user))")
1030 self.delete_force(self.ldb, "cn=ldaptestuser5,cn=users," + self.base_dn)
1032 def test_parentGUID(self):
1033 """Test parentGUID behaviour"""
1034 print "Testing parentGUID behaviour\n"
1036 # TODO: This seems to fail on Windows Server. Hidden attribute?
1039 "dn": "cn=parentguidtest,cn=users," + self.base_dn,
1040 "objectclass":"user",
1041 "samaccountname":"parentguidtest"});
1042 res1 = ldb.search(base="cn=parentguidtest,cn=users," + self.base_dn, scope=SCOPE_BASE,
1043 attrs=["parentGUID", "samaccountname"]);
1044 res2 = ldb.search(base="cn=users," + self.base_dn,scope=SCOPE_BASE,
1045 attrs=["objectGUID"]);
1046 res3 = ldb.search(base=self.base_dn, scope=SCOPE_BASE,
1047 attrs=["parentGUID"]);
1048 res4 = ldb.search(base=self.configuration_dn, scope=SCOPE_BASE,
1049 attrs=["parentGUID"]);
1050 res5 = ldb.search(base=self.schema_dn, scope=SCOPE_BASE,
1051 attrs=["parentGUID"]);
1053 """Check if the parentGUID is valid """
1054 self.assertEquals(res1[0]["parentGUID"], res2[0]["objectGUID"]);
1056 """Check if it returns nothing when there is no parent object - default NC"""
1057 has_parentGUID = False
1058 for key in res3[0].keys():
1059 if key == "parentGUID":
1060 has_parentGUID = True
1062 self.assertFalse(has_parentGUID);
1064 """Check if it returns nothing when there is no parent object - configuration NC"""
1065 has_parentGUID = False
1066 for key in res4[0].keys():
1067 if key == "parentGUID":
1068 has_parentGUID = True
1070 self.assertFalse(has_parentGUID);
1072 """Check if it returns nothing when there is no parent object - schema NC"""
1073 has_parentGUID = False
1074 for key in res5[0].keys():
1075 if key == "parentGUID":
1076 has_parentGUID = True
1078 self.assertFalse(has_parentGUID);
1080 """Ensures that if you look for another object attribute after the constructed
1081 parentGUID, it will return correctly"""
1082 has_another_attribute = False
1083 for key in res1[0].keys():
1084 if key == "sAMAccountName":
1085 has_another_attribute = True
1087 self.assertTrue(has_another_attribute)
1088 self.assertTrue(len(res1[0]["samaccountname"]) == 1)
1089 self.assertEquals(res1[0]["samaccountname"][0], "parentguidtest");
1091 print "Testing parentGUID behaviour on rename\n"
1094 "dn": "cn=testotherusers," + self.base_dn,
1095 "objectclass":"container"});
1096 res1 = ldb.search(base="cn=testotherusers," + self.base_dn,scope=SCOPE_BASE,
1097 attrs=["objectGUID"]);
1098 ldb.rename("cn=parentguidtest,cn=users," + self.base_dn,
1099 "cn=parentguidtest,cn=testotherusers," + self.base_dn);
1100 res2 = ldb.search(base="cn=parentguidtest,cn=testotherusers," + self.base_dn,
1102 attrs=["parentGUID"]);
1103 self.assertEquals(res1[0]["objectGUID"], res2[0]["parentGUID"]);
1105 self.delete_force(self.ldb, "cn=parentguidtest,cn=testotherusers," + self.base_dn)
1106 self.delete_force(self.ldb, "cn=testotherusers," + self.base_dn)
1108 def test_groupType_int32(self):
1109 """Test groupType (int32) behaviour (should appear to be casted to a 32 bit signed integer before comparsion)"""
1110 print "Testing groupType (int32) behaviour\n"
1112 res1 = ldb.search(base=self.base_dn, scope=SCOPE_SUBTREE,
1113 attrs=["groupType"], expression="groupType=2147483653");
1115 res2 = ldb.search(base=self.base_dn, scope=SCOPE_SUBTREE,
1116 attrs=["groupType"], expression="groupType=-2147483643");
1118 self.assertEquals(len(res1), len(res2))
1120 self.assertTrue(res1.count > 0)
1122 self.assertEquals(res1[0]["groupType"][0], "-2147483643")
1124 def test_linked_attributes(self):
1125 """This tests the linked attribute behaviour"""
1126 print "Testing linked attribute behaviour\n"
1129 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
1130 "objectclass": "group"})
1132 # This should not work since "memberOf" is linked to "member"
1135 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1136 "objectclass": ["user", "person"],
1137 "memberOf": "cn=ldaptestgroup,cn=users," + self.base_dn})
1138 except LdbError, (num, _):
1139 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1142 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1143 "objectclass": ["user", "person"]})
1146 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1147 m["memberOf"] = MessageElement("cn=ldaptestgroup,cn=users," + self.base_dn,
1148 FLAG_MOD_ADD, "memberOf")
1152 except LdbError, (num, _):
1153 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1156 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1157 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
1158 FLAG_MOD_ADD, "member")
1162 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1163 m["memberOf"] = MessageElement("cn=ldaptestgroup,cn=users," + self.base_dn,
1164 FLAG_MOD_REPLACE, "memberOf")
1168 except LdbError, (num, _):
1169 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1172 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1173 m["memberOf"] = MessageElement("cn=ldaptestgroup,cn=users," + self.base_dn,
1174 FLAG_MOD_DELETE, "memberOf")
1178 except LdbError, (num, _):
1179 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1182 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1183 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
1184 FLAG_MOD_DELETE, "member")
1187 # This should yield no results since the member attribute for
1188 # "ldaptestuser" should have been deleted
1189 res1 = ldb.search("cn=ldaptestgroup, cn=users," + self.base_dn,
1191 expression="(member=cn=ldaptestuser,cn=users," + self.base_dn + ")",
1193 self.assertTrue(len(res1) == 0)
1195 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1198 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
1199 "objectclass": "group",
1200 "member": "cn=ldaptestuser,cn=users," + self.base_dn})
1202 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1204 # Make sure that the "member" attribute for "ldaptestuser" has been
1206 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1207 scope=SCOPE_BASE, attrs=["member"])
1208 self.assertTrue(len(res) == 1)
1209 self.assertFalse("member" in res[0])
1211 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1213 def test_users_groups(self):
1214 """This tests the SAM users and groups behaviour"""
1215 print "Testing users and groups behaviour\n"
1218 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
1219 "objectclass": "group"})
1222 "dn": "cn=ldaptestgroup2,cn=users," + self.base_dn,
1223 "objectclass": "group"})
1225 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1226 scope=SCOPE_BASE, attrs=["objectSID"])
1227 self.assertTrue(len(res1) == 1)
1228 group_rid_1 = security.dom_sid(ldb.schema_format_value("objectSID",
1229 res1[0]["objectSID"][0])).split()[1]
1231 res1 = ldb.search("cn=ldaptestgroup2,cn=users," + self.base_dn,
1232 scope=SCOPE_BASE, attrs=["objectSID"])
1233 self.assertTrue(len(res1) == 1)
1234 group_rid_2 = security.dom_sid(ldb.schema_format_value("objectSID",
1235 res1[0]["objectSID"][0])).split()[1]
1237 # Try to create a user with an invalid primary group
1240 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1241 "objectclass": ["user", "person"],
1242 "primaryGroupID": "0"})
1244 except LdbError, (num, _):
1245 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1246 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1248 # Try to Create a user with a valid primary group
1251 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1252 "objectclass": ["user", "person"],
1253 "primaryGroupID": str(group_rid_1)})
1255 except LdbError, (num, _):
1256 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1257 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1259 # Test to see how we should behave when the user account doesn't
1262 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1263 m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE,
1268 except LdbError, (num, _):
1269 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
1271 # Test to see how we should behave when the account isn't a user
1273 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1274 m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE,
1279 except LdbError, (num, _):
1280 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1282 # Test default primary groups on add operations
1285 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1286 "objectclass": ["user", "person"]})
1288 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1289 scope=SCOPE_BASE, attrs=["primaryGroupID"])
1290 self.assertTrue(len(res1) == 1)
1291 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS))
1293 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1296 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1297 "objectclass": ["user", "person"],
1298 "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD) })
1300 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1301 scope=SCOPE_BASE, attrs=["primaryGroupID"])
1302 self.assertTrue(len(res1) == 1)
1303 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS))
1305 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1307 # unfortunately the INTERDOMAIN_TRUST_ACCOUNT case cannot be tested
1308 # since such accounts aren't directly creatable (ACCESS_DENIED)
1311 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1312 "objectclass": ["computer"],
1313 "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD) })
1315 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1316 scope=SCOPE_BASE, attrs=["primaryGroupID"])
1317 self.assertTrue(len(res1) == 1)
1318 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DOMAIN_MEMBERS))
1320 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1323 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1324 "objectclass": ["computer"],
1325 "userAccountControl": str(UF_SERVER_TRUST_ACCOUNT | UF_PASSWD_NOTREQD) })
1327 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1328 scope=SCOPE_BASE, attrs=["primaryGroupID"])
1329 self.assertTrue(len(res1) == 1)
1330 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DCS))
1332 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1334 # Read-only DC accounts are only creatable by
1335 # UF_WORKSTATION_TRUST_ACCOUNT and work only on DCs >= 2008 (therefore
1336 # we have a fallback in the assertion)
1338 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1339 "objectclass": ["computer"],
1340 "userAccountControl": str(UF_PARTIAL_SECRETS_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD) })
1342 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1343 scope=SCOPE_BASE, attrs=["primaryGroupID"])
1344 self.assertTrue(len(res1) == 1)
1345 self.assertTrue(res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_READONLY_DCS) or
1346 res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_DOMAIN_MEMBERS))
1348 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1350 # Test default primary groups on modify operations
1353 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1354 "objectclass": ["user", "person"]})
1357 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1358 m["userAccountControl"] = MessageElement(str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
1359 "userAccountControl")
1362 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1363 scope=SCOPE_BASE, attrs=["primaryGroupID"])
1364 self.assertTrue(len(res1) == 1)
1365 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS))
1367 # unfortunately the INTERDOMAIN_TRUST_ACCOUNT case cannot be tested
1368 # since such accounts aren't directly creatable (ACCESS_DENIED)
1370 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1373 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1374 "objectclass": ["computer"]})
1376 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1377 scope=SCOPE_BASE, attrs=["primaryGroupID"])
1378 self.assertTrue(len(res1) == 1)
1379 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS))
1382 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1383 m["userAccountControl"] = MessageElement(str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
1384 "userAccountControl")
1387 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1388 scope=SCOPE_BASE, attrs=["primaryGroupID"])
1389 self.assertTrue(len(res1) == 1)
1390 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DOMAIN_MEMBERS))
1393 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1394 m["userAccountControl"] = MessageElement(str(UF_SERVER_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
1395 "userAccountControl")
1398 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1399 scope=SCOPE_BASE, attrs=["primaryGroupID"])
1400 self.assertTrue(len(res1) == 1)
1401 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DCS))
1403 # Read-only DC accounts are only creatable by
1404 # UF_WORKSTATION_TRUST_ACCOUNT and work only on DCs >= 2008 (therefore
1405 # we have a fallback in the assertion)
1407 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1408 m["userAccountControl"] = MessageElement(str(UF_PARTIAL_SECRETS_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
1409 "userAccountControl")
1412 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1413 scope=SCOPE_BASE, attrs=["primaryGroupID"])
1414 self.assertTrue(len(res1) == 1)
1415 self.assertTrue(res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_READONLY_DCS) or
1416 res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_DOMAIN_MEMBERS))
1418 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1420 # Recreate account for further tests
1423 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1424 "objectclass": ["user", "person"]})
1426 # We should be able to reset our actual primary group
1428 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1429 m["primaryGroupID"] = MessageElement(str(DOMAIN_RID_USERS), FLAG_MOD_REPLACE,
1433 # Try to add invalid primary group
1435 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1436 m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE,
1441 except LdbError, (num, _):
1442 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1444 # Try to make group 1 primary - should be denied since it is not yet
1447 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1448 m["primaryGroupID"] = MessageElement(str(group_rid_1),
1449 FLAG_MOD_REPLACE, "primaryGroupID")
1453 except LdbError, (num, _):
1454 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1456 # Make group 1 secondary
1458 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1459 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
1460 FLAG_MOD_REPLACE, "member")
1463 # Make group 1 primary
1465 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1466 m["primaryGroupID"] = MessageElement(str(group_rid_1),
1467 FLAG_MOD_REPLACE, "primaryGroupID")
1470 # Try to delete group 1 - should be denied
1472 ldb.delete("cn=ldaptestgroup,cn=users," + self.base_dn)
1474 except LdbError, (num, _):
1475 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
1477 # Try to add group 1 also as secondary - should be denied
1479 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1480 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
1481 FLAG_MOD_ADD, "member")
1485 except LdbError, (num, _):
1486 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
1488 # Try to add invalid member to group 1 - should be denied
1490 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1491 m["member"] = MessageElement(
1492 "cn=ldaptestuser3,cn=users," + self.base_dn,
1493 FLAG_MOD_ADD, "member")
1497 except LdbError, (num, _):
1498 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
1500 # Make group 2 secondary
1502 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
1503 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
1504 FLAG_MOD_ADD, "member")
1509 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1510 m["primaryGroupID"] = MessageElement(str(group_rid_2),
1511 FLAG_MOD_REPLACE, "primaryGroupID")
1514 # Old primary group should contain a "member" attribute for the user,
1515 # the new shouldn't contain anymore one
1516 res1 = ldb.search("cn=ldaptestgroup, cn=users," + self.base_dn,
1517 scope=SCOPE_BASE, attrs=["member"])
1518 self.assertTrue(len(res1) == 1)
1519 self.assertTrue(len(res1[0]["member"]) == 1)
1520 self.assertEquals(res1[0]["member"][0].lower(),
1521 ("cn=ldaptestuser,cn=users," + self.base_dn).lower())
1523 res1 = ldb.search("cn=ldaptestgroup2, cn=users," + self.base_dn,
1524 scope=SCOPE_BASE, attrs=["member"])
1525 self.assertTrue(len(res1) == 1)
1526 self.assertFalse("member" in res1[0])
1528 # Also this should be denied
1531 "dn": "cn=ldaptestuser1,cn=users," + self.base_dn,
1532 "objectclass": ["user", "person"],
1533 "primaryGroupID": "0"})
1535 except LdbError, (num, _):
1536 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1538 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1539 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1540 self.delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
1542 def test_sam_attributes(self):
1543 """Test the behaviour of special attributes of SAM objects"""
1544 print "Testing the behaviour of special attributes of SAM objects\n"""
1547 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1548 "objectclass": ["user", "person"]})
1550 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
1551 "objectclass": "group"})
1554 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1555 m["groupType"] = MessageElement("0", FLAG_MOD_ADD,
1560 except LdbError, (num, _):
1561 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
1564 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1565 m["groupType"] = MessageElement([], FLAG_MOD_DELETE,
1570 except LdbError, (num, _):
1571 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1574 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1575 m["primaryGroupID"] = MessageElement("0", FLAG_MOD_ADD,
1580 except LdbError, (num, _):
1581 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
1584 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1585 m["primaryGroupID"] = MessageElement([], FLAG_MOD_DELETE,
1590 except LdbError, (num, _):
1591 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1594 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1595 m["userAccountControl"] = MessageElement("0", FLAG_MOD_ADD,
1596 "userAccountControl")
1600 except LdbError, (num, _):
1601 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
1604 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1605 m["userAccountControl"] = MessageElement([], FLAG_MOD_DELETE,
1606 "userAccountControl")
1610 except LdbError, (num, _):
1611 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1614 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1615 m["sAMAccountType"] = MessageElement("0", FLAG_MOD_ADD,
1620 except LdbError, (num, _):
1621 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1624 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1625 m["sAMAccountType"] = MessageElement([], FLAG_MOD_REPLACE,
1630 except LdbError, (num, _):
1631 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1634 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1635 m["sAMAccountType"] = MessageElement([], FLAG_MOD_DELETE,
1640 except LdbError, (num, _):
1641 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1643 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1644 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1646 def test_primary_group_token_constructed(self):
1647 """Test the primary group token behaviour (hidden-generated-readonly attribute on groups) and some other constructed attributes"""
1648 print "Testing primary group token behaviour and other constructed attributes\n"
1652 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
1653 "objectclass": "group",
1654 "primaryGroupToken": "100"})
1656 except LdbError, (num, _):
1657 self.assertEquals(num, ERR_UNDEFINED_ATTRIBUTE_TYPE)
1658 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1661 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1662 "objectclass": ["user", "person"]})
1665 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
1666 "objectclass": "group"})
1668 # Testing for one invalid, and one valid operational attribute, but also the things they are built from
1669 res1 = ldb.search(self.base_dn,
1670 scope=SCOPE_BASE, attrs=["primaryGroupToken", "canonicalName", "objectClass", "objectSid"])
1671 self.assertTrue(len(res1) == 1)
1672 self.assertFalse("primaryGroupToken" in res1[0])
1673 self.assertTrue("canonicalName" in res1[0])
1674 self.assertTrue("objectClass" in res1[0])
1675 self.assertTrue("objectSid" in res1[0])
1677 res1 = ldb.search(self.base_dn,
1678 scope=SCOPE_BASE, attrs=["primaryGroupToken", "canonicalName"])
1679 self.assertTrue(len(res1) == 1)
1680 self.assertFalse("primaryGroupToken" in res1[0])
1681 self.assertFalse("objectSid" in res1[0])
1682 self.assertFalse("objectClass" in res1[0])
1683 self.assertTrue("canonicalName" in res1[0])
1685 res1 = ldb.search("cn=users,"+self.base_dn,
1686 scope=SCOPE_BASE, attrs=["primaryGroupToken"])
1687 self.assertTrue(len(res1) == 1)
1688 self.assertFalse("primaryGroupToken" in res1[0])
1690 res1 = ldb.search("cn=ldaptestuser, cn=users," + self.base_dn,
1691 scope=SCOPE_BASE, attrs=["primaryGroupToken"])
1692 self.assertTrue(len(res1) == 1)
1693 self.assertFalse("primaryGroupToken" in res1[0])
1695 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1697 self.assertTrue(len(res1) == 1)
1698 self.assertFalse("primaryGroupToken" in res1[0])
1700 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1701 scope=SCOPE_BASE, attrs=["primaryGroupToken", "objectSID"])
1702 self.assertTrue(len(res1) == 1)
1703 primary_group_token = int(res1[0]["primaryGroupToken"][0])
1705 rid = security.dom_sid(ldb.schema_format_value("objectSID", res1[0]["objectSID"][0])).split()[1]
1706 self.assertEquals(primary_group_token, rid)
1709 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1710 m["primaryGroupToken"] = "100"
1714 except LdbError, (num, _):
1715 self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
1717 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1718 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1720 def test_tokenGroups(self):
1721 """Test the tokenGroups behaviour (hidden-generated-readonly attribute on SAM objects)"""
1722 print "Testing tokenGroups behaviour\n"
1724 # The domain object shouldn't contain any "tokenGroups" entry
1725 res = ldb.search(self.base_dn, scope=SCOPE_BASE, attrs=["tokenGroups"])
1726 self.assertTrue(len(res) == 1)
1727 self.assertFalse("tokenGroups" in res[0])
1729 # The domain administrator should contain "tokenGroups" entries
1730 # (the exact number depends on the domain/forest function level and the
1731 # DC software versions)
1732 res = ldb.search("cn=Administrator,cn=Users," + self.base_dn,
1733 scope=SCOPE_BASE, attrs=["tokenGroups"])
1734 self.assertTrue(len(res) == 1)
1735 self.assertTrue("tokenGroups" in res[0])
1738 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1739 "objectclass": ["user", "person"]})
1741 # This testuser should contain at least two "tokenGroups" entries
1742 # (exactly two on an unmodified "Domain Users" and "Users" group)
1743 res = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1744 scope=SCOPE_BASE, attrs=["tokenGroups"])
1745 self.assertTrue(len(res) == 1)
1746 self.assertTrue(len(res[0]["tokenGroups"]) >= 2)
1748 # one entry which we need to find should point to domains "Domain Users"
1749 # group and another entry should point to the builtin "Users"group
1750 domain_users_group_found = False
1751 users_group_found = False
1752 for sid in res[0]["tokenGroups"]:
1753 rid = security.dom_sid(ldb.schema_format_value("objectSID", sid)).split()[1]
1755 domain_users_group_found = True
1757 users_group_found = True
1759 self.assertTrue(domain_users_group_found)
1760 self.assertTrue(users_group_found)
1762 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1764 def test_wkguid(self):
1765 """Test Well known GUID behaviours (including DN+Binary)"""
1766 print "Test Well known GUID behaviours (including DN+Binary)"""
1768 res = self.ldb.search(base=("<WKGUID=ab1d30f3768811d1aded00c04fd8d5cd,%s>" % self.base_dn), scope=SCOPE_BASE, attrs=[])
1769 self.assertEquals(len(res), 1)
1771 res2 = self.ldb.search(scope=SCOPE_BASE, attrs=["wellKnownObjects"], expression=("wellKnownObjects=B:32:ab1d30f3768811d1aded00c04fd8d5cd:%s" % res[0].dn))
1772 self.assertEquals(len(res2), 1)
1774 # Prove that the matching rule is over the whole DN+Binary
1775 res2 = self.ldb.search(scope=SCOPE_BASE, attrs=["wellKnownObjects"], expression=("wellKnownObjects=B:32:ab1d30f3768811d1aded00c04fd8d5cd"))
1776 self.assertEquals(len(res2), 0)
1777 # Prove that the matching rule is over the whole DN+Binary
1778 res2 = self.ldb.search(scope=SCOPE_BASE, attrs=["wellKnownObjects"], expression=("wellKnownObjects=%s") % res[0].dn)
1779 self.assertEquals(len(res2), 0)
1781 def test_subschemasubentry(self):
1782 """Test subSchemaSubEntry appears when requested, but not when not requested"""
1783 print "Test subSchemaSubEntry"""
1785 res = self.ldb.search(base=self.base_dn, scope=SCOPE_BASE, attrs=["subSchemaSubEntry"])
1786 self.assertEquals(len(res), 1)
1787 self.assertEquals(res[0]["subSchemaSubEntry"][0], "CN=Aggregate,"+self.schema_dn)
1789 res = self.ldb.search(base=self.base_dn, scope=SCOPE_BASE, attrs=["*"])
1790 self.assertEquals(len(res), 1)
1791 self.assertTrue("subScheamSubEntry" not in res[0])
1796 print "Testing user add"
1799 "dn": "cn=ldaptestuser,cn=uSers," + self.base_dn,
1800 "objectclass": ["user", "person"],
1801 "cN": "LDAPtestUSER",
1802 "givenname": "ldap",
1806 "dn": "cn=ldaptestgroup,cn=uSers," + self.base_dn,
1807 "objectclass": "group",
1808 "member": "cn=ldaptestuser,cn=useRs," + self.base_dn})
1811 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1812 "objectclass": "computer",
1813 "cN": "LDAPtestCOMPUTER"})
1815 ldb.add({"dn": "cn=ldaptest2computer,cn=computers," + self.base_dn,
1816 "objectClass": "computer",
1817 "cn": "LDAPtest2COMPUTER",
1818 "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT),
1819 "displayname": "ldap testy"})
1822 ldb.add({"dn": "cn=ldaptestcomputer3,cn=computers," + self.base_dn,
1823 "objectClass": "computer",
1824 "cn": "LDAPtest2COMPUTER"
1827 except LdbError, (num, _):
1828 self.assertEquals(num, ERR_INVALID_DN_SYNTAX)
1831 ldb.add({"dn": "cn=ldaptestcomputer3,cn=computers," + self.base_dn,
1832 "objectClass": "computer",
1833 "cn": "ldaptestcomputer3",
1834 "sAMAccountType": str(ATYPE_NORMAL_ACCOUNT)
1837 except LdbError, (num, _):
1838 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1840 ldb.add({"dn": "cn=ldaptestcomputer3,cn=computers," + self.base_dn,
1841 "objectClass": "computer",
1842 "cn": "LDAPtestCOMPUTER3"
1845 print "Testing ldb.search for (&(cn=ldaptestcomputer3)(objectClass=user))";
1846 res = ldb.search(self.base_dn, expression="(&(cn=ldaptestcomputer3)(objectClass=user))");
1847 self.assertEquals(len(res), 1, "Found only %d for (&(cn=ldaptestcomputer3)(objectClass=user))" % len(res))
1849 self.assertEquals(str(res[0].dn), ("CN=ldaptestcomputer3,CN=Computers," + self.base_dn));
1850 self.assertEquals(res[0]["cn"][0], "ldaptestcomputer3");
1851 self.assertEquals(res[0]["name"][0], "ldaptestcomputer3");
1852 self.assertEquals(res[0]["objectClass"][0], "top");
1853 self.assertEquals(res[0]["objectClass"][1], "person");
1854 self.assertEquals(res[0]["objectClass"][2], "organizationalPerson");
1855 self.assertEquals(res[0]["objectClass"][3], "user");
1856 self.assertEquals(res[0]["objectClass"][4], "computer");
1857 self.assertTrue("objectGUID" in res[0])
1858 self.assertTrue("whenCreated" in res[0])
1859 self.assertEquals(res[0]["objectCategory"][0], ("CN=Computer,CN=Schema,CN=Configuration," + self.base_dn));
1860 self.assertEquals(int(res[0]["primaryGroupID"][0]), 513);
1861 self.assertEquals(int(res[0]["sAMAccountType"][0]), ATYPE_NORMAL_ACCOUNT);
1862 self.assertEquals(int(res[0]["userAccountControl"][0]), UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD | UF_ACCOUNTDISABLE);
1864 self.delete_force(self.ldb, "cn=ldaptestcomputer3,cn=computers," + self.base_dn)
1866 print "Testing attribute or value exists behaviour"
1869 dn: cn=ldaptest2computer,cn=computers,""" + self.base_dn + """
1871 replace: servicePrincipalName
1872 servicePrincipalName: host/ldaptest2computer
1873 servicePrincipalName: host/ldaptest2computer
1874 servicePrincipalName: cifs/ldaptest2computer
1877 except LdbError, (num, msg):
1878 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
1881 dn: cn=ldaptest2computer,cn=computers,""" + self.base_dn + """
1883 replace: servicePrincipalName
1884 servicePrincipalName: host/ldaptest2computer
1885 servicePrincipalName: cifs/ldaptest2computer
1889 dn: cn=ldaptest2computer,cn=computers,""" + self.base_dn + """
1891 add: servicePrincipalName
1892 servicePrincipalName: host/ldaptest2computer
1895 except LdbError, (num, msg):
1896 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
1898 print "Testing ranged results"
1900 dn: cn=ldaptest2computer,cn=computers,""" + self.base_dn + """
1902 replace: servicePrincipalName
1906 dn: cn=ldaptest2computer,cn=computers,""" + self.base_dn + """
1908 add: servicePrincipalName
1909 servicePrincipalName: host/ldaptest2computer0
1910 servicePrincipalName: host/ldaptest2computer1
1911 servicePrincipalName: host/ldaptest2computer2
1912 servicePrincipalName: host/ldaptest2computer3
1913 servicePrincipalName: host/ldaptest2computer4
1914 servicePrincipalName: host/ldaptest2computer5
1915 servicePrincipalName: host/ldaptest2computer6
1916 servicePrincipalName: host/ldaptest2computer7
1917 servicePrincipalName: host/ldaptest2computer8
1918 servicePrincipalName: host/ldaptest2computer9
1919 servicePrincipalName: host/ldaptest2computer10
1920 servicePrincipalName: host/ldaptest2computer11
1921 servicePrincipalName: host/ldaptest2computer12
1922 servicePrincipalName: host/ldaptest2computer13
1923 servicePrincipalName: host/ldaptest2computer14
1924 servicePrincipalName: host/ldaptest2computer15
1925 servicePrincipalName: host/ldaptest2computer16
1926 servicePrincipalName: host/ldaptest2computer17
1927 servicePrincipalName: host/ldaptest2computer18
1928 servicePrincipalName: host/ldaptest2computer19
1929 servicePrincipalName: host/ldaptest2computer20
1930 servicePrincipalName: host/ldaptest2computer21
1931 servicePrincipalName: host/ldaptest2computer22
1932 servicePrincipalName: host/ldaptest2computer23
1933 servicePrincipalName: host/ldaptest2computer24
1934 servicePrincipalName: host/ldaptest2computer25
1935 servicePrincipalName: host/ldaptest2computer26
1936 servicePrincipalName: host/ldaptest2computer27
1937 servicePrincipalName: host/ldaptest2computer28
1938 servicePrincipalName: host/ldaptest2computer29
1941 res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE,
1942 attrs=["servicePrincipalName;range=0-*"])
1943 self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)")
1944 #print len(res[0]["servicePrincipalName;range=0-*"])
1945 self.assertEquals(len(res[0]["servicePrincipalName;range=0-*"]), 30)
1947 res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=0-19"])
1948 self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)")
1949 # print res[0]["servicePrincipalName;range=0-19"].length
1950 self.assertEquals(len(res[0]["servicePrincipalName;range=0-19"]), 20)
1953 res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=0-30"])
1954 self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)")
1955 self.assertEquals(len(res[0]["servicePrincipalName;range=0-*"]), 30)
1957 res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=0-40"])
1958 self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)")
1959 self.assertEquals(len(res[0]["servicePrincipalName;range=0-*"]), 30)
1961 res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=30-40"])
1962 self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)")
1963 self.assertEquals(len(res[0]["servicePrincipalName;range=30-*"]), 0)
1966 res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=10-40"])
1967 self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)")
1968 self.assertEquals(len(res[0]["servicePrincipalName;range=10-*"]), 20)
1969 # pos_11 = res[0]["servicePrincipalName;range=10-*"][18]
1971 res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=11-40"])
1972 self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)")
1973 self.assertEquals(len(res[0]["servicePrincipalName;range=11-*"]), 19)
1974 # print res[0]["servicePrincipalName;range=11-*"][18]
1976 # self.assertEquals((res[0]["servicePrincipalName;range=11-*"][18]), pos_11)
1978 res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=11-15"])
1979 self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)")
1980 self.assertEquals(len(res[0]["servicePrincipalName;range=11-15"]), 5)
1981 # self.assertEquals(res[0]["servicePrincipalName;range=11-15"][4], pos_11)
1983 res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName"])
1984 self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)")
1985 # print res[0]["servicePrincipalName"][18]
1987 self.assertEquals(len(res[0]["servicePrincipalName"]), 30)
1988 # self.assertEquals(res[0]["servicePrincipalName"][18], pos_11)
1990 self.delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn)
1992 "dn": "cn=ldaptestuser2,cn=useRs," + self.base_dn,
1993 "objectClass": ["person", "user"],
1994 "cn": "LDAPtestUSER2",
1995 "givenname": "testy",
1996 "sn": "ldap user2"})
1998 print "Testing Ambigious Name Resolution"
1999 # Testing ldb.search for (&(anr=ldap testy)(objectClass=user))
2000 res = ldb.search(expression="(&(anr=ldap testy)(objectClass=user))")
2001 self.assertEquals(len(res), 3, "Found only %d of 3 for (&(anr=ldap testy)(objectClass=user))" % len(res))
2003 # Testing ldb.search for (&(anr=testy ldap)(objectClass=user))
2004 res = ldb.search(expression="(&(anr=testy ldap)(objectClass=user))")
2005 self.assertEquals(len(res), 2, "Found only %d of 2 for (&(anr=testy ldap)(objectClass=user))" % len(res))
2007 # Testing ldb.search for (&(anr=ldap)(objectClass=user))
2008 res = ldb.search(expression="(&(anr=ldap)(objectClass=user))")
2009 self.assertEquals(len(res), 4, "Found only %d of 4 for (&(anr=ldap)(objectClass=user))" % len(res))
2011 # Testing ldb.search for (&(anr==ldap)(objectClass=user))
2012 res = ldb.search(expression="(&(anr==ldap)(objectClass=user))")
2013 self.assertEquals(len(res), 1, "Could not find (&(anr==ldap)(objectClass=user)). Found only %d for (&(anr=ldap)(objectClass=user))" % len(res))
2015 self.assertEquals(str(res[0].dn), ("CN=ldaptestuser,CN=Users," + self.base_dn))
2016 self.assertEquals(res[0]["cn"][0], "ldaptestuser")
2017 self.assertEquals(str(res[0]["name"]), "ldaptestuser")
2019 # Testing ldb.search for (&(anr=testy)(objectClass=user))
2020 res = ldb.search(expression="(&(anr=testy)(objectClass=user))")
2021 self.assertEquals(len(res), 2, "Found only %d for (&(anr=testy)(objectClass=user))" % len(res))
2023 # Testing ldb.search for (&(anr=testy ldap)(objectClass=user))
2024 res = ldb.search(expression="(&(anr=testy ldap)(objectClass=user))")
2025 self.assertEquals(len(res), 2, "Found only %d for (&(anr=testy ldap)(objectClass=user))" % len(res))
2027 # Testing ldb.search for (&(anr==testy ldap)(objectClass=user))
2028 # this test disabled for the moment, as anr with == tests are not understood
2029 # res = ldb.search(expression="(&(anr==testy ldap)(objectClass=user))")
2030 # self.assertEquals(len(res), 1, "Found only %d for (&(anr==testy ldap)(objectClass=user))" % len(res))
2032 # self.assertEquals(str(res[0].dn), ("CN=ldaptestuser,CN=Users," + self.base_dn))
2033 # self.assertEquals(res[0]["cn"][0], "ldaptestuser")
2034 # self.assertEquals(res[0]["name"][0], "ldaptestuser")
2036 # Testing ldb.search for (&(anr==testy ldap)(objectClass=user))
2037 # res = ldb.search(expression="(&(anr==testy ldap)(objectClass=user))")
2038 # self.assertEquals(len(res), 1, "Could not find (&(anr==testy ldap)(objectClass=user))")
2040 # self.assertEquals(str(res[0].dn), ("CN=ldaptestuser,CN=Users," + self.base_dn))
2041 # self.assertEquals(res[0]["cn"][0], "ldaptestuser")
2042 # self.assertEquals(res[0]["name"][0], "ldaptestuser")
2044 # Testing ldb.search for (&(anr=testy ldap user)(objectClass=user))
2045 res = ldb.search(expression="(&(anr=testy ldap user)(objectClass=user))")
2046 self.assertEquals(len(res), 1, "Could not find (&(anr=testy ldap user)(objectClass=user))")
2048 self.assertEquals(str(res[0].dn), ("CN=ldaptestuser2,CN=Users," + self.base_dn))
2049 self.assertEquals(str(res[0]["cn"]), "ldaptestuser2")
2050 self.assertEquals(str(res[0]["name"]), "ldaptestuser2")
2052 # Testing ldb.search for (&(anr==testy ldap user2)(objectClass=user))
2053 # res = ldb.search(expression="(&(anr==testy ldap user2)(objectClass=user))")
2054 # self.assertEquals(len(res), 1, "Could not find (&(anr==testy ldap user2)(objectClass=user))")
2056 self.assertEquals(str(res[0].dn), ("CN=ldaptestuser2,CN=Users," + self.base_dn))
2057 self.assertEquals(str(res[0]["cn"]), "ldaptestuser2")
2058 self.assertEquals(str(res[0]["name"]), "ldaptestuser2")
2060 # Testing ldb.search for (&(anr==ldap user2)(objectClass=user))
2061 # res = ldb.search(expression="(&(anr==ldap user2)(objectClass=user))")
2062 # self.assertEquals(len(res), 1, "Could not find (&(anr==ldap user2)(objectClass=user))")
2064 self.assertEquals(str(res[0].dn), ("CN=ldaptestuser2,CN=Users," + self.base_dn))
2065 self.assertEquals(str(res[0]["cn"]), "ldaptestuser2")
2066 self.assertEquals(str(res[0]["name"]), "ldaptestuser2")
2068 # Testing ldb.search for (&(anr==not ldap user2)(objectClass=user))
2069 # res = ldb.search(expression="(&(anr==not ldap user2)(objectClass=user))")
2070 # self.assertEquals(len(res), 0, "Must not find (&(anr==not ldap user2)(objectClass=user))")
2072 # Testing ldb.search for (&(anr=not ldap user2)(objectClass=user))
2073 res = ldb.search(expression="(&(anr=not ldap user2)(objectClass=user))")
2074 self.assertEquals(len(res), 0, "Must not find (&(anr=not ldap user2)(objectClass=user))")
2076 # Testing ldb.search for (&(anr="testy ldap")(objectClass=user)) (ie, with quotes)
2077 # res = ldb.search(expression="(&(anr==\"testy ldap\")(objectClass=user))")
2078 # self.assertEquals(len(res), 0, "Found (&(anr==\"testy ldap\")(objectClass=user))")
2080 print "Testing Renames"
2082 attrs = ["objectGUID", "objectSid"]
2083 print "Testing ldb.search for (&(cn=ldaptestUSer2)(objectClass=user))"
2084 res_user = ldb.search(self.base_dn, expression="(&(cn=ldaptestUSer2)(objectClass=user))", scope=SCOPE_SUBTREE, attrs=attrs)
2085 self.assertEquals(len(res_user), 1, "Could not find (&(cn=ldaptestUSer2)(objectClass=user))")
2087 # Check rename works with extended/alternate DN forms
2088 ldb.rename("<SID=" + ldb.schema_format_value("objectSID", res_user[0]["objectSID"][0]) + ">" , "cn=ldaptestUSER3,cn=users," + self.base_dn)
2090 print "Testing ldb.search for (&(cn=ldaptestuser3)(objectClass=user))"
2091 res = ldb.search(expression="(&(cn=ldaptestuser3)(objectClass=user))")
2092 self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestuser3)(objectClass=user))")
2094 self.assertEquals(str(res[0].dn), ("CN=ldaptestUSER3,CN=Users," + self.base_dn))
2095 self.assertEquals(str(res[0]["cn"]), "ldaptestUSER3")
2096 self.assertEquals(str(res[0]["name"]), "ldaptestUSER3")
2098 #"Testing ldb.search for (&(&(cn=ldaptestuser3)(userAccountControl=*))(objectClass=user))"
2099 res = ldb.search(expression="(&(&(cn=ldaptestuser3)(userAccountControl=*))(objectClass=user))")
2100 self.assertEquals(len(res), 1, "(&(&(cn=ldaptestuser3)(userAccountControl=*))(objectClass=user))")
2102 self.assertEquals(str(res[0].dn), ("CN=ldaptestUSER3,CN=Users," + self.base_dn))
2103 self.assertEquals(str(res[0]["cn"]), "ldaptestUSER3")
2104 self.assertEquals(str(res[0]["name"]), "ldaptestUSER3")
2106 #"Testing ldb.search for (&(&(cn=ldaptestuser3)(userAccountControl=546))(objectClass=user))"
2107 res = ldb.search(expression="(&(&(cn=ldaptestuser3)(userAccountControl=546))(objectClass=user))")
2108 self.assertEquals(len(res), 1, "(&(&(cn=ldaptestuser3)(userAccountControl=546))(objectClass=user))")
2110 self.assertEquals(str(res[0].dn), ("CN=ldaptestUSER3,CN=Users," + self.base_dn))
2111 self.assertEquals(str(res[0]["cn"]), "ldaptestUSER3")
2112 self.assertEquals(str(res[0]["name"]), "ldaptestUSER3")
2114 #"Testing ldb.search for (&(&(cn=ldaptestuser3)(userAccountControl=547))(objectClass=user))"
2115 res = ldb.search(expression="(&(&(cn=ldaptestuser3)(userAccountControl=547))(objectClass=user))")
2116 self.assertEquals(len(res), 0, "(&(&(cn=ldaptestuser3)(userAccountControl=547))(objectClass=user))")
2118 # This is a Samba special, and does not exist in real AD
2119 # print "Testing ldb.search for (dn=CN=ldaptestUSER3,CN=Users," + self.base_dn + ")"
2120 # res = ldb.search("(dn=CN=ldaptestUSER3,CN=Users," + self.base_dn + ")")
2121 # if (res.error != 0 || len(res) != 1) {
2122 # print "Could not find (dn=CN=ldaptestUSER3,CN=Users," + self.base_dn + ")"
2123 # self.assertEquals(len(res), 1)
2125 # self.assertEquals(res[0].dn, ("CN=ldaptestUSER3,CN=Users," + self.base_dn))
2126 # self.assertEquals(res[0].cn, "ldaptestUSER3")
2127 # self.assertEquals(res[0].name, "ldaptestUSER3")
2129 print "Testing ldb.search for (distinguishedName=CN=ldaptestUSER3,CN=Users," + self.base_dn + ")"
2130 res = ldb.search(expression="(distinguishedName=CN=ldaptestUSER3,CN=Users," + self.base_dn + ")")
2131 self.assertEquals(len(res), 1, "Could not find (dn=CN=ldaptestUSER3,CN=Users," + self.base_dn + ")")
2132 self.assertEquals(str(res[0].dn), ("CN=ldaptestUSER3,CN=Users," + self.base_dn))
2133 self.assertEquals(str(res[0]["cn"]), "ldaptestUSER3")
2134 self.assertEquals(str(res[0]["name"]), "ldaptestUSER3")
2136 # ensure we cannot add it again
2138 ldb.add({"dn": "cn=ldaptestuser3,cn=userS," + self.base_dn,
2139 "objectClass": ["person", "user"],
2140 "cn": "LDAPtestUSER3"})
2142 except LdbError, (num, _):
2143 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
2146 ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestuser2,cn=users," + self.base_dn)
2148 # ensure we cannot rename it twice
2150 ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn,
2151 "cn=ldaptestuser2,cn=users," + self.base_dn)
2153 except LdbError, (num, _):
2154 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
2156 # ensure can now use that name
2157 ldb.add({"dn": "cn=ldaptestuser3,cn=users," + self.base_dn,
2158 "objectClass": ["person", "user"],
2159 "cn": "LDAPtestUSER3"})
2161 # ensure we now cannot rename
2163 ldb.rename("cn=ldaptestuser2,cn=users," + self.base_dn, "cn=ldaptestuser3,cn=users," + self.base_dn)
2165 except LdbError, (num, _):
2166 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
2168 ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestuser3,cn=configuration," + self.base_dn)
2170 except LdbError, (num, _):
2171 self.assertTrue(num in (71, 64))
2173 ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestuser5,cn=users," + self.base_dn)
2175 ldb.delete("cn=ldaptestuser5,cn=users," + self.base_dn)
2177 self.delete_force(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
2179 ldb.rename("cn=ldaptestgroup,cn=users," + self.base_dn, "cn=ldaptestgroup2,cn=users," + self.base_dn)
2181 print "Testing subtree renames"
2183 ldb.add({"dn": "cn=ldaptestcontainer," + self.base_dn,
2184 "objectClass": "container"})
2186 ldb.add({"dn": "CN=ldaptestuser4,CN=ldaptestcontainer," + self.base_dn,
2187 "objectClass": ["person", "user"],
2188 "cn": "LDAPtestUSER4"})
2191 dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """
2194 member: cn=ldaptestuser4,cn=ldaptestcontainer,""" + self.base_dn + """
2195 member: cn=ldaptestcomputer,cn=computers,""" + self.base_dn + """
2196 member: cn=ldaptestuser2,cn=users,""" + self.base_dn + """
2199 print "Testing ldb.rename of cn=ldaptestcontainer," + self.base_dn + " to cn=ldaptestcontainer2," + self.base_dn
2200 ldb.rename("CN=ldaptestcontainer," + self.base_dn, "CN=ldaptestcontainer2," + self.base_dn)
2202 print "Testing ldb.search for (&(cn=ldaptestuser4)(objectClass=user))"
2203 res = ldb.search(expression="(&(cn=ldaptestuser4)(objectClass=user))")
2204 self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestuser4)(objectClass=user))")
2206 print "Testing subtree ldb.search for (&(cn=ldaptestuser4)(objectClass=user)) in (just renamed from) cn=ldaptestcontainer," + self.base_dn
2208 res = ldb.search("cn=ldaptestcontainer," + self.base_dn,
2209 expression="(&(cn=ldaptestuser4)(objectClass=user))",
2210 scope=SCOPE_SUBTREE)
2212 except LdbError, (num, _):
2213 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
2215 print "Testing one-level ldb.search for (&(cn=ldaptestuser4)(objectClass=user)) in (just renamed from) cn=ldaptestcontainer," + self.base_dn
2217 res = ldb.search("cn=ldaptestcontainer," + self.base_dn,
2218 expression="(&(cn=ldaptestuser4)(objectClass=user))", scope=SCOPE_ONELEVEL)
2220 except LdbError, (num, _):
2221 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
2223 print "Testing ldb.search for (&(cn=ldaptestuser4)(objectClass=user)) in renamed container"
2224 res = ldb.search("cn=ldaptestcontainer2," + self.base_dn, expression="(&(cn=ldaptestuser4)(objectClass=user))", scope=SCOPE_SUBTREE)
2225 self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestuser4)(objectClass=user)) under cn=ldaptestcontainer2," + self.base_dn)
2227 self.assertEquals(str(res[0].dn), ("CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn))
2228 self.assertEquals(res[0]["memberOf"][0].upper(), ("CN=ldaptestgroup2,CN=Users," + self.base_dn).upper())
2232 print "Testing ldb.search for (&(member=CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn + ")(objectclass=group)) to check subtree renames and linked attributes"
2233 res = ldb.search(self.base_dn, expression="(&(member=CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn + ")(objectclass=group))", scope=SCOPE_SUBTREE)
2234 self.assertEquals(len(res), 1, "Could not find (&(member=CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn + ")(objectclass=group)), perhaps linked attributes are not consistant with subtree renames?")
2236 print "Testing ldb.rename (into itself) of cn=ldaptestcontainer2," + self.base_dn + " to cn=ldaptestcontainer,cn=ldaptestcontainer2," + self.base_dn
2238 ldb.rename("cn=ldaptestcontainer2," + self.base_dn, "cn=ldaptestcontainer,cn=ldaptestcontainer2," + self.base_dn)
2240 except LdbError, (num, _):
2241 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
2243 print "Testing ldb.rename (into non-existent container) of cn=ldaptestcontainer2," + self.base_dn + " to cn=ldaptestcontainer,cn=ldaptestcontainer3," + self.base_dn
2245 ldb.rename("cn=ldaptestcontainer2," + self.base_dn, "cn=ldaptestcontainer,cn=ldaptestcontainer3," + self.base_dn)
2247 except LdbError, (num, _):
2248 self.assertTrue(num in (ERR_UNWILLING_TO_PERFORM, ERR_OTHER))
2250 print "Testing delete (should fail, not a leaf node) of renamed cn=ldaptestcontainer2," + self.base_dn
2252 ldb.delete("cn=ldaptestcontainer2," + self.base_dn)
2254 except LdbError, (num, _):
2255 self.assertEquals(num, ERR_NOT_ALLOWED_ON_NON_LEAF)
2257 print "Testing base ldb.search for CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn
2258 res = ldb.search(expression="(objectclass=*)", base=("CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn), scope=SCOPE_BASE)
2259 self.assertEquals(len(res), 1)
2260 res = ldb.search(expression="(cn=ldaptestuser40)", base=("CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn), scope=SCOPE_BASE)
2261 self.assertEquals(len(res), 0)
2263 print "Testing one-level ldb.search for (&(cn=ldaptestuser4)(objectClass=user)) in cn=ldaptestcontainer2," + self.base_dn
2264 res = ldb.search(expression="(&(cn=ldaptestuser4)(objectClass=user))", base=("cn=ldaptestcontainer2," + self.base_dn), scope=SCOPE_ONELEVEL)
2265 # FIXME: self.assertEquals(len(res), 0)
2267 print "Testing one-level ldb.search for (&(cn=ldaptestuser4)(objectClass=user)) in cn=ldaptestcontainer2," + self.base_dn
2268 res = ldb.search(expression="(&(cn=ldaptestuser4)(objectClass=user))", base=("cn=ldaptestcontainer2," + self.base_dn), scope=SCOPE_SUBTREE)
2269 # FIXME: self.assertEquals(len(res), 0)
2271 print "Testing delete of subtree renamed "+("CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn)
2272 ldb.delete(("CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn))
2273 print "Testing delete of renamed cn=ldaptestcontainer2," + self.base_dn
2274 ldb.delete("cn=ldaptestcontainer2," + self.base_dn)
2276 ldb.add({"dn": "cn=ldaptestutf8user èùéìòà,cn=users," + self.base_dn, "objectClass": "user"})
2278 ldb.add({"dn": "cn=ldaptestutf8user2 èùéìòà,cn=users," + self.base_dn, "objectClass": "user"})
2280 print "Testing ldb.search for (&(cn=ldaptestuser)(objectClass=user))"
2281 res = ldb.search(expression="(&(cn=ldaptestuser)(objectClass=user))")
2282 self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestuser)(objectClass=user))")
2284 self.assertEquals(str(res[0].dn), ("CN=ldaptestuser,CN=Users," + self.base_dn))
2285 self.assertEquals(str(res[0]["cn"]), "ldaptestuser")
2286 self.assertEquals(str(res[0]["name"]), "ldaptestuser")
2287 self.assertEquals(set(res[0]["objectClass"]), set(["top", "person", "organizationalPerson", "user"]))
2288 self.assertTrue("objectGUID" in res[0])
2289 self.assertTrue("whenCreated" in res[0])
2290 self.assertEquals(str(res[0]["objectCategory"]), ("CN=Person,CN=Schema,CN=Configuration," + self.base_dn))
2291 self.assertEquals(int(res[0]["sAMAccountType"][0]), ATYPE_NORMAL_ACCOUNT)
2292 self.assertEquals(int(res[0]["userAccountControl"][0]), UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD | UF_ACCOUNTDISABLE)
2293 self.assertEquals(res[0]["memberOf"][0].upper(), ("CN=ldaptestgroup2,CN=Users," + self.base_dn).upper())
2294 self.assertEquals(len(res[0]["memberOf"]), 1)
2296 print "Testing ldb.search for (&(cn=ldaptestuser)(objectCategory=cn=person,cn=schema,cn=configuration," + self.base_dn + "))"
2297 res2 = ldb.search(expression="(&(cn=ldaptestuser)(objectCategory=cn=person,cn=schema,cn=configuration," + self.base_dn + "))")
2298 self.assertEquals(len(res2), 1, "Could not find (&(cn=ldaptestuser)(objectCategory=cn=person,cn=schema,cn=configuration," + self.base_dn + "))")
2300 self.assertEquals(res[0].dn, res2[0].dn)
2302 print "Testing ldb.search for (&(cn=ldaptestuser)(objectCategory=PerSon))"
2303 res3 = ldb.search(expression="(&(cn=ldaptestuser)(objectCategory=PerSon))")
2304 self.assertEquals(len(res3), 1, "Could not find (&(cn=ldaptestuser)(objectCategory=PerSon)): matched %d" % len(res3))
2306 self.assertEquals(res[0].dn, res3[0].dn)
2308 if gc_ldb is not None:
2309 print "Testing ldb.search for (&(cn=ldaptestuser)(objectCategory=PerSon)) in Global Catalog"
2310 res3gc = gc_ldb.search(expression="(&(cn=ldaptestuser)(objectCategory=PerSon))")
2311 self.assertEquals(len(res3gc), 1)
2313 self.assertEquals(res[0].dn, res3gc[0].dn)
2315 print "Testing ldb.search for (&(cn=ldaptestuser)(objectCategory=PerSon)) in with 'phantom root' control"
2317 if gc_ldb is not None:
2318 res3control = gc_ldb.search(self.base_dn, expression="(&(cn=ldaptestuser)(objectCategory=PerSon))", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["search_options:1:2"])
2319 self.assertEquals(len(res3control), 1, "Could not find (&(cn=ldaptestuser)(objectCategory=PerSon)) in Global Catalog")
2321 self.assertEquals(res[0].dn, res3control[0].dn)
2323 ldb.delete(res[0].dn)
2325 print "Testing ldb.search for (&(cn=ldaptestcomputer)(objectClass=user))"
2326 res = ldb.search(expression="(&(cn=ldaptestcomputer)(objectClass=user))")
2327 self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestuser)(objectClass=user))")
2329 self.assertEquals(str(res[0].dn), ("CN=ldaptestcomputer,CN=Computers," + self.base_dn))
2330 self.assertEquals(str(res[0]["cn"]), "ldaptestcomputer")
2331 self.assertEquals(str(res[0]["name"]), "ldaptestcomputer")
2332 self.assertEquals(set(res[0]["objectClass"]), set(["top", "person", "organizationalPerson", "user", "computer"]))
2333 self.assertTrue("objectGUID" in res[0])
2334 self.assertTrue("whenCreated" in res[0])
2335 self.assertEquals(str(res[0]["objectCategory"]), ("CN=Computer,CN=Schema,CN=Configuration," + self.base_dn))
2336 self.assertEquals(int(res[0]["primaryGroupID"][0]), 513)
2337 self.assertEquals(int(res[0]["sAMAccountType"][0]), ATYPE_NORMAL_ACCOUNT)
2338 self.assertEquals(int(res[0]["userAccountControl"][0]), UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD | UF_ACCOUNTDISABLE)
2339 self.assertEquals(res[0]["memberOf"][0].upper(), ("CN=ldaptestgroup2,CN=Users," + self.base_dn).upper())
2340 self.assertEquals(len(res[0]["memberOf"]), 1)
2342 print "Testing ldb.search for (&(cn=ldaptestcomputer)(objectCategory=cn=computer,cn=schema,cn=configuration," + self.base_dn + "))"
2343 res2 = ldb.search(expression="(&(cn=ldaptestcomputer)(objectCategory=cn=computer,cn=schema,cn=configuration," + self.base_dn + "))")
2344 self.assertEquals(len(res2), 1, "Could not find (&(cn=ldaptestcomputer)(objectCategory=cn=computer,cn=schema,cn=configuration," + self.base_dn + "))")
2346 self.assertEquals(res[0].dn, res2[0].dn)
2348 if gc_ldb is not None:
2349 print "Testing ldb.search for (&(cn=ldaptestcomputer)(objectCategory=cn=computer,cn=schema,cn=configuration," + self.base_dn + ")) in Global Catlog"
2350 res2gc = gc_ldb.search(expression="(&(cn=ldaptestcomputer)(objectCategory=cn=computer,cn=schema,cn=configuration," + self.base_dn + "))")
2351 self.assertEquals(len(res2gc), 1, "Could not find (&(cn=ldaptestcomputer)(objectCategory=cn=computer,cn=schema,cn=configuration," + self.base_dn + ")) in Global Catlog")
2353 self.assertEquals(res[0].dn, res2gc[0].dn)
2355 print "Testing ldb.search for (&(cn=ldaptestcomputer)(objectCategory=compuTER))"
2356 res3 = ldb.search(expression="(&(cn=ldaptestcomputer)(objectCategory=compuTER))")
2357 self.assertEquals(len(res3), 1, "Could not find (&(cn=ldaptestcomputer)(objectCategory=compuTER))")
2359 self.assertEquals(res[0].dn, res3[0].dn)
2361 if gc_ldb is not None:
2362 print "Testing ldb.search for (&(cn=ldaptestcomputer)(objectCategory=compuTER)) in Global Catalog"
2363 res3gc = gc_ldb.search(expression="(&(cn=ldaptestcomputer)(objectCategory=compuTER))")
2364 self.assertEquals(len(res3gc), 1, "Could not find (&(cn=ldaptestcomputer)(objectCategory=compuTER)) in Global Catalog")
2366 self.assertEquals(res[0].dn, res3gc[0].dn)
2368 print "Testing ldb.search for (&(cn=ldaptestcomp*r)(objectCategory=compuTER))"
2369 res4 = ldb.search(expression="(&(cn=ldaptestcomp*r)(objectCategory=compuTER))")
2370 self.assertEquals(len(res4), 1, "Could not find (&(cn=ldaptestcomp*r)(objectCategory=compuTER))")
2372 self.assertEquals(res[0].dn, res4[0].dn)
2374 print "Testing ldb.search for (&(cn=ldaptestcomput*)(objectCategory=compuTER))"
2375 res5 = ldb.search(expression="(&(cn=ldaptestcomput*)(objectCategory=compuTER))")
2376 self.assertEquals(len(res5), 1, "Could not find (&(cn=ldaptestcomput*)(objectCategory=compuTER))")
2378 self.assertEquals(res[0].dn, res5[0].dn)
2380 print "Testing ldb.search for (&(cn=*daptestcomputer)(objectCategory=compuTER))"
2381 res6 = ldb.search(expression="(&(cn=*daptestcomputer)(objectCategory=compuTER))")
2382 self.assertEquals(len(res6), 1, "Could not find (&(cn=*daptestcomputer)(objectCategory=compuTER))")
2384 self.assertEquals(res[0].dn, res6[0].dn)
2386 ldb.delete("<GUID=" + ldb.schema_format_value("objectGUID", res[0]["objectGUID"][0]) + ">")
2388 print "Testing ldb.search for (&(cn=ldaptest2computer)(objectClass=user))"
2389 res = ldb.search(expression="(&(cn=ldaptest2computer)(objectClass=user))")
2390 self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptest2computer)(objectClass=user))")
2392 self.assertEquals(str(res[0].dn), "CN=ldaptest2computer,CN=Computers," + self.base_dn)
2393 self.assertEquals(str(res[0]["cn"]), "ldaptest2computer")
2394 self.assertEquals(str(res[0]["name"]), "ldaptest2computer")
2395 self.assertEquals(list(res[0]["objectClass"]), ["top", "person", "organizationalPerson", "user", "computer"])
2396 self.assertTrue("objectGUID" in res[0])
2397 self.assertTrue("whenCreated" in res[0])
2398 self.assertEquals(res[0]["objectCategory"][0], "CN=Computer,CN=Schema,CN=Configuration," + self.base_dn)
2399 self.assertEquals(int(res[0]["sAMAccountType"][0]), ATYPE_WORKSTATION_TRUST)
2400 self.assertEquals(int(res[0]["userAccountControl"][0]), UF_WORKSTATION_TRUST_ACCOUNT)
2402 ldb.delete("<SID=" + ldb.schema_format_value("objectSID", res[0]["objectSID"][0]) + ">")
2404 attrs = ["cn", "name", "objectClass", "objectGUID", "objectSID", "whenCreated", "nTSecurityDescriptor", "memberOf", "allowedAttributes", "allowedAttributesEffective"]
2405 print "Testing ldb.search for (&(cn=ldaptestUSer2)(objectClass=user))"
2406 res_user = ldb.search(self.base_dn, expression="(&(cn=ldaptestUSer2)(objectClass=user))", scope=SCOPE_SUBTREE, attrs=attrs)
2407 self.assertEquals(len(res_user), 1, "Could not find (&(cn=ldaptestUSer2)(objectClass=user))")
2409 self.assertEquals(str(res_user[0].dn), ("CN=ldaptestuser2,CN=Users," + self.base_dn))
2410 self.assertEquals(str(res_user[0]["cn"]), "ldaptestuser2")
2411 self.assertEquals(str(res_user[0]["name"]), "ldaptestuser2")
2412 self.assertEquals(list(res_user[0]["objectClass"]), ["top", "person", "organizationalPerson", "user"])
2413 self.assertTrue("objectSid" in res_user[0])
2414 self.assertTrue("objectGUID" in res_user[0])
2415 self.assertTrue("whenCreated" in res_user[0])
2416 self.assertTrue("nTSecurityDescriptor" in res_user[0])
2417 self.assertTrue("allowedAttributes" in res_user[0])
2418 self.assertTrue("allowedAttributesEffective" in res_user[0])
2419 self.assertEquals(res_user[0]["memberOf"][0].upper(), ("CN=ldaptestgroup2,CN=Users," + self.base_dn).upper())
2421 ldaptestuser2_sid = res_user[0]["objectSid"][0]
2422 ldaptestuser2_guid = res_user[0]["objectGUID"][0]
2424 attrs = ["cn", "name", "objectClass", "objectGUID", "objectSID", "whenCreated", "nTSecurityDescriptor", "member", "allowedAttributes", "allowedAttributesEffective"]
2425 print "Testing ldb.search for (&(cn=ldaptestgroup2)(objectClass=group))"
2426 res = ldb.search(self.base_dn, expression="(&(cn=ldaptestgroup2)(objectClass=group))", scope=SCOPE_SUBTREE, attrs=attrs)
2427 self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestgroup2)(objectClass=group))")
2429 self.assertEquals(str(res[0].dn), ("CN=ldaptestgroup2,CN=Users," + self.base_dn))
2430 self.assertEquals(str(res[0]["cn"]), "ldaptestgroup2")
2431 self.assertEquals(str(res[0]["name"]), "ldaptestgroup2")
2432 self.assertEquals(list(res[0]["objectClass"]), ["top", "group"])
2433 self.assertTrue("objectGUID" in res[0])
2434 self.assertTrue("objectSid" in res[0])
2435 self.assertTrue("whenCreated" in res[0])
2436 self.assertTrue("nTSecurityDescriptor" in res[0])
2437 self.assertTrue("allowedAttributes" in res[0])
2438 self.assertTrue("allowedAttributesEffective" in res[0])
2440 for m in res[0]["member"]:
2441 memberUP.append(m.upper())
2442 self.assertTrue(("CN=ldaptestuser2,CN=Users," + self.base_dn).upper() in memberUP)
2444 res = ldb.search(self.base_dn, expression="(&(cn=ldaptestgroup2)(objectClass=group))", scope=SCOPE_SUBTREE, attrs=attrs, controls=["extended_dn:1:1"])
2445 self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestgroup2)(objectClass=group))")
2447 print res[0]["member"]
2449 for m in res[0]["member"]:
2450 memberUP.append(m.upper())
2451 print ("<GUID=" + ldb.schema_format_value("objectGUID", ldaptestuser2_guid) + ">;<SID=" + ldb.schema_format_value("objectSid", ldaptestuser2_sid) + ">;CN=ldaptestuser2,CN=Users," + self.base_dn).upper()
2453 self.assertTrue(("<GUID=" + ldb.schema_format_value("objectGUID", ldaptestuser2_guid) + ">;<SID=" + ldb.schema_format_value("objectSid", ldaptestuser2_sid) + ">;CN=ldaptestuser2,CN=Users," + self.base_dn).upper() in memberUP)
2455 print "Quicktest for linked attributes"
2457 dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """
2460 member: CN=ldaptestuser2,CN=Users,""" + self.base_dn + """
2461 member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """
2465 dn: <GUID=""" + ldb.schema_format_value("objectGUID", res[0]["objectGUID"][0]) + """>
2468 member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """
2472 dn: <SID=""" + ldb.schema_format_value("objectSid", res[0]["objectSid"][0]) + """>
2478 dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """
2481 member: <GUID=""" + ldb.schema_format_value("objectGUID", res[0]["objectGUID"][0]) + """>
2482 member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """
2486 dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """
2492 dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """
2495 member: <SID=""" + ldb.schema_format_value("objectSid", res_user[0]["objectSid"][0]) + """>
2496 member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """
2500 dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """
2503 member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """
2506 res = ldb.search(self.base_dn, expression="(&(cn=ldaptestgroup2)(objectClass=group))", scope=SCOPE_SUBTREE, attrs=attrs)
2507 self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestgroup2)(objectClass=group))")
2509 self.assertEquals(str(res[0].dn), ("CN=ldaptestgroup2,CN=Users," + self.base_dn))
2510 self.assertEquals(res[0]["member"][0], ("CN=ldaptestuser2,CN=Users," + self.base_dn))
2511 self.assertEquals(len(res[0]["member"]), 1)
2513 ldb.delete(("CN=ldaptestuser2,CN=Users," + self.base_dn))
2517 attrs = ["cn", "name", "objectClass", "objectGUID", "whenCreated", "nTSecurityDescriptor", "member"]
2518 print "Testing ldb.search for (&(cn=ldaptestgroup2)(objectClass=group)) to check linked delete"
2519 res = ldb.search(self.base_dn, expression="(&(cn=ldaptestgroup2)(objectClass=group))", scope=SCOPE_SUBTREE, attrs=attrs)
2520 self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestgroup2)(objectClass=group)) to check linked delete")
2522 self.assertEquals(str(res[0].dn), ("CN=ldaptestgroup2,CN=Users," + self.base_dn))
2523 self.assertTrue("member" not in res[0])
2525 print "Testing ldb.search for (&(cn=ldaptestutf8user ÈÙÉÌÒÀ)(objectClass=user))"
2526 # TODO UTF8 users don't seem to work fully anymore
2527 # res = ldb.search(expression="(&(cn=ldaptestutf8user ÈÙÉÌÒÀ)(objectClass=user))")
2528 res = ldb.search(expression="(&(cn=ldaptestutf8user èùéìòà)(objectclass=user))")
2529 self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestutf8user ÈÙÉÌÒÀ)(objectClass=user))")
2531 self.assertEquals(str(res[0].dn), ("CN=ldaptestutf8user èùéìòà,CN=Users," + self.base_dn))
2532 self.assertEquals(str(res[0]["cn"]), "ldaptestutf8user èùéìòà")
2533 self.assertEquals(str(res[0]["name"]), "ldaptestutf8user èùéìòà")
2534 self.assertEquals(list(res[0]["objectClass"]), ["top", "person", "organizationalPerson", "user"])
2535 self.assertTrue("objectGUID" in res[0])
2536 self.assertTrue("whenCreated" in res[0])
2538 ldb.delete(res[0].dn)
2540 print "Testing ldb.search for (&(cn=ldaptestutf8user2*)(objectClass=user))"
2541 res = ldb.search(expression="(&(cn=ldaptestutf8user2*)(objectClass=user))")
2542 self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestutf8user2*)(objectClass=user))")
2544 ldb.delete(res[0].dn)
2546 ldb.delete(("CN=ldaptestgroup2,CN=Users," + self.base_dn))
2548 print "Testing ldb.search for (&(cn=ldaptestutf8user2 ÈÙÉÌÒÀ)(objectClass=user))"
2549 # TODO UTF8 users don't seem to work fully anymore
2550 # res = ldb.search(expression="(&(cn=ldaptestutf8user ÈÙÉÌÒÀ)(objectClass=user))")
2551 # self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestutf8user ÈÙÉÌÒÀ)(objectClass=user))")
2553 print "Testing that we can't get at the configuration DN from the main search base"
2554 res = ldb.search(self.base_dn, expression="objectClass=crossRef", scope=SCOPE_SUBTREE, attrs=["cn"])
2555 self.assertEquals(len(res), 0)
2557 print "Testing that we can get at the configuration DN from the main search base on the LDAP port with the 'phantom root' search_options control"
2558 res = ldb.search(self.base_dn, expression="objectClass=crossRef", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["search_options:1:2"])
2559 self.assertTrue(len(res) > 0)
2561 if gc_ldb is not None:
2562 print "Testing that we can get at the configuration DN from the main search base on the GC port with the search_options control == 0"
2564 res = gc_ldb.search(self.base_dn, expression="objectClass=crossRef", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["search_options:1:0"])
2565 self.assertTrue(len(res) > 0)
2567 print "Testing that we do find configuration elements in the global catlog"
2568 res = gc_ldb.search(self.base_dn, expression="objectClass=crossRef", scope=SCOPE_SUBTREE, attrs=["cn"])
2569 self.assertTrue(len(res) > 0)
2571 print "Testing that we do find configuration elements and user elements at the same time"
2572 res = gc_ldb.search(self.base_dn, expression="(|(objectClass=crossRef)(objectClass=person))", scope=SCOPE_SUBTREE, attrs=["cn"])
2573 self.assertTrue(len(res) > 0)
2575 print "Testing that we do find configuration elements in the global catlog, with the configuration basedn"
2576 res = gc_ldb.search(self.configuration_dn, expression="objectClass=crossRef", scope=SCOPE_SUBTREE, attrs=["cn"])
2577 self.assertTrue(len(res) > 0)
2579 print "Testing that we can get at the configuration DN on the main LDAP port"
2580 res = ldb.search(self.configuration_dn, expression="objectClass=crossRef", scope=SCOPE_SUBTREE, attrs=["cn"])
2581 self.assertTrue(len(res) > 0)
2583 print "Testing objectCategory canonacolisation"
2584 res = ldb.search(self.configuration_dn, expression="objectCategory=ntDsDSA", scope=SCOPE_SUBTREE, attrs=["cn"])
2585 self.assertTrue(len(res) > 0, "Didn't find any records with objectCategory=ntDsDSA")
2586 self.assertTrue(len(res) != 0)
2588 res = ldb.search(self.configuration_dn, expression="objectCategory=CN=ntDs-DSA," + self.schema_dn, scope=SCOPE_SUBTREE, attrs=["cn"])
2589 self.assertTrue(len(res) > 0, "Didn't find any records with objectCategory=CN=ntDs-DSA," + self.schema_dn)
2590 self.assertTrue(len(res) != 0)
2592 print "Testing objectClass attribute order on "+ self.base_dn
2593 res = ldb.search(expression="objectClass=domain", base=self.base_dn,
2594 scope=SCOPE_BASE, attrs=["objectClass"])
2595 self.assertEquals(len(res), 1)
2597 self.assertEquals(list(res[0]["objectClass"]), ["top", "domain", "domainDNS"])
2601 print "Testing ldb.search for objectCategory=person"
2602 res = ldb.search(self.base_dn, expression="objectCategory=person", scope=SCOPE_SUBTREE, attrs=["cn"])
2603 self.assertTrue(len(res) > 0)
2605 print "Testing ldb.search for objectCategory=person with domain scope control"
2606 res = ldb.search(self.base_dn, expression="objectCategory=person", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["domain_scope:1"])
2607 self.assertTrue(len(res) > 0)
2609 print "Testing ldb.search for objectCategory=user"
2610 res = ldb.search(self.base_dn, expression="objectCategory=user", scope=SCOPE_SUBTREE, attrs=["cn"])
2611 self.assertTrue(len(res) > 0)
2613 print "Testing ldb.search for objectCategory=user with domain scope control"
2614 res = ldb.search(self.base_dn, expression="objectCategory=user", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["domain_scope:1"])
2615 self.assertTrue(len(res) > 0)
2617 print "Testing ldb.search for objectCategory=group"
2618 res = ldb.search(self.base_dn, expression="objectCategory=group", scope=SCOPE_SUBTREE, attrs=["cn"])
2619 self.assertTrue(len(res) > 0)
2621 print "Testing ldb.search for objectCategory=group with domain scope control"
2622 res = ldb.search(self.base_dn, expression="objectCategory=group", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["domain_scope:1"])
2623 self.assertTrue(len(res) > 0)
2625 print "Testing creating a user with the posixAccount objectClass"
2626 self.ldb.add_ldif("""dn: cn=posixuser,CN=Users,%s
2629 objectClass: posixAccount
2631 objectClass: organizationalPerson
2637 homeDirectory: /home/posixuser
2638 loginShell: /bin/bash
2639 gecos: Posix User;;;
2640 description: A POSIX user"""% (self.base_dn))
2642 print "Testing removing the posixAccount objectClass from an existing user"
2643 self.ldb.modify_ldif("""dn: cn=posixuser,CN=Users,%s
2646 objectClass: posixAccount"""% (self.base_dn))
2648 print "Testing adding the posixAccount objectClass to an existing user"
2649 self.ldb.modify_ldif("""dn: cn=posixuser,CN=Users,%s
2652 objectClass: posixAccount"""% (self.base_dn))
2654 self.delete_force(self.ldb, "cn=posixuser,cn=users," + self.base_dn)
2655 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
2656 self.delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn)
2657 self.delete_force(self.ldb, "cn=ldaptestuser3,cn=users," + self.base_dn)
2658 self.delete_force(self.ldb, "cn=ldaptestuser4,cn=ldaptestcontainer," + self.base_dn)
2659 self.delete_force(self.ldb, "cn=ldaptestuser4,cn=ldaptestcontainer2," + self.base_dn)
2660 self.delete_force(self.ldb, "cn=ldaptestuser5,cn=users," + self.base_dn)
2661 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2662 self.delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
2663 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2664 self.delete_force(self.ldb, "cn=ldaptest2computer,cn=computers," + self.base_dn)
2665 self.delete_force(self.ldb, "cn=ldaptestcomputer3,cn=computers," + self.base_dn)
2666 self.delete_force(self.ldb, "cn=ldaptestutf8user èùéìòà,cn=users," + self.base_dn)
2667 self.delete_force(self.ldb, "cn=ldaptestutf8user2 èùéìòà,cn=users," + self.base_dn)
2668 self.delete_force(self.ldb, "cn=ldaptestcontainer," + self.base_dn)
2669 self.delete_force(self.ldb, "cn=ldaptestcontainer2," + self.base_dn)
2671 def test_security_descriptor_add(self):
2672 """ Testing ldb.add_ldif() for nTSecurityDescriptor """
2673 user_name = "testdescriptoruser1"
2674 user_dn = "CN=%s,CN=Users,%s" % (user_name, self.base_dn)
2676 # Test add_ldif() with SDDL security descriptor input
2678 self.delete_force(self.ldb, user_dn)
2680 sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI"
2681 self.ldb.add_ldif("""
2682 dn: """ + user_dn + """
2684 sAMAccountName: """ + user_name + """
2685 nTSecurityDescriptor: """ + sddl)
2686 res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
2687 desc = res[0]["nTSecurityDescriptor"][0]
2688 desc = ndr_unpack( security.descriptor, desc )
2689 desc_sddl = desc.as_sddl( self.domain_sid )
2690 self.assertEqual(desc_sddl, sddl)
2692 self.delete_force(self.ldb, user_dn)
2694 # Test add_ldif() with BASE64 security descriptor
2697 sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI"
2698 desc = security.descriptor.from_sddl(sddl, self.domain_sid)
2699 desc_binary = ndr_pack(desc)
2700 desc_base64 = base64.b64encode(desc_binary)
2701 self.ldb.add_ldif("""
2702 dn: """ + user_dn + """
2704 sAMAccountName: """ + user_name + """
2705 nTSecurityDescriptor:: """ + desc_base64)
2706 res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
2707 desc = res[0]["nTSecurityDescriptor"][0]
2708 desc = ndr_unpack(security.descriptor, desc)
2709 desc_sddl = desc.as_sddl(self.domain_sid)
2710 self.assertEqual(desc_sddl, sddl)
2712 self.delete_force(self.ldb, user_dn)
2714 def test_security_descriptor_add_neg(self):
2715 """Test add_ldif() with BASE64 security descriptor input using WRONG domain SID
2718 user_name = "testdescriptoruser1"
2719 user_dn = "CN=%s,CN=Users,%s" % (user_name, self.base_dn)
2720 self.delete_force(self.ldb, user_dn)
2722 sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI"
2723 desc = security.descriptor.from_sddl(sddl, security.dom_sid('S-1-5-21'))
2724 desc_base64 = base64.b64encode( ndr_pack(desc) )
2725 self.ldb.add_ldif("""
2726 dn: """ + user_dn + """
2728 sAMAccountName: """ + user_name + """
2729 nTSecurityDescriptor:: """ + desc_base64)
2730 res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
2731 self.assertTrue("nTSecurityDescriptor" in res[0])
2733 self.delete_force(self.ldb, user_dn)
2735 def test_security_descriptor_modify(self):
2736 """ Testing ldb.modify_ldif() for nTSecurityDescriptor """
2737 user_name = "testdescriptoruser2"
2738 user_dn = "CN=%s,CN=Users,%s" % (user_name, self.base_dn)
2740 # Delete user object and test modify_ldif() with SDDL security descriptor input
2741 # Add ACE to the original descriptor test
2744 self.delete_force(self.ldb, user_dn)
2745 self.ldb.add_ldif("""
2746 dn: """ + user_dn + """
2748 sAMAccountName: """ + user_name)
2750 res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
2751 desc = res[0]["nTSecurityDescriptor"][0]
2752 desc = ndr_unpack(security.descriptor, desc)
2753 desc_sddl = desc.as_sddl(self.domain_sid)
2754 sddl = desc_sddl[:desc_sddl.find("(")] + "(A;;RPWP;;;AU)" + desc_sddl[desc_sddl.find("("):]
2756 dn: """ + user_dn + """
2758 replace: nTSecurityDescriptor
2759 nTSecurityDescriptor: """ + sddl
2760 self.ldb.modify_ldif(mod)
2761 # Read modified descriptor
2762 res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
2763 desc = res[0]["nTSecurityDescriptor"][0]
2764 desc = ndr_unpack(security.descriptor, desc)
2765 desc_sddl = desc.as_sddl(self.domain_sid)
2766 self.assertEqual(desc_sddl, sddl)
2768 self.delete_force(self.ldb, user_dn)
2770 # Test modify_ldif() with SDDL security descriptor input
2771 # New desctiptor test
2774 self.ldb.add_ldif("""
2775 dn: """ + user_dn + """
2777 sAMAccountName: """ + user_name)
2779 sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI"
2781 dn: """ + user_dn + """
2783 replace: nTSecurityDescriptor
2784 nTSecurityDescriptor: """ + sddl
2785 self.ldb.modify_ldif(mod)
2786 # Read modified descriptor
2787 res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
2788 desc = res[0]["nTSecurityDescriptor"][0]
2789 desc = ndr_unpack(security.descriptor, desc)
2790 desc_sddl = desc.as_sddl(self.domain_sid)
2791 self.assertEqual(desc_sddl, sddl)
2793 self.delete_force(self.ldb, user_dn)
2795 # Test modify_ldif() with BASE64 security descriptor input
2796 # Add ACE to the original descriptor test
2799 self.ldb.add_ldif("""
2800 dn: """ + user_dn + """
2802 sAMAccountName: """ + user_name)
2804 res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
2805 desc = res[0]["nTSecurityDescriptor"][0]
2806 desc = ndr_unpack(security.descriptor, desc)
2807 desc_sddl = desc.as_sddl(self.domain_sid)
2808 sddl = desc_sddl[:desc_sddl.find("(")] + "(A;;RPWP;;;AU)" + desc_sddl[desc_sddl.find("("):]
2809 desc = security.descriptor.from_sddl(sddl, self.domain_sid)
2810 desc_base64 = base64.b64encode(ndr_pack(desc))
2812 dn: """ + user_dn + """
2814 replace: nTSecurityDescriptor
2815 nTSecurityDescriptor:: """ + desc_base64
2816 self.ldb.modify_ldif(mod)
2817 # Read modified descriptor
2818 res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
2819 desc = res[0]["nTSecurityDescriptor"][0]
2820 desc = ndr_unpack(security.descriptor, desc)
2821 desc_sddl = desc.as_sddl(self.domain_sid)
2822 self.assertEqual(desc_sddl, sddl)
2824 self.delete_force(self.ldb, user_dn)
2826 # Test modify_ldif() with BASE64 security descriptor input
2827 # New descriptor test
2830 self.delete_force(self.ldb, user_dn)
2831 self.ldb.add_ldif("""
2832 dn: """ + user_dn + """
2834 sAMAccountName: """ + user_name)
2836 sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI"
2837 desc = security.descriptor.from_sddl(sddl, self.domain_sid)
2838 desc_base64 = base64.b64encode(ndr_pack(desc))
2840 dn: """ + user_dn + """
2842 replace: nTSecurityDescriptor
2843 nTSecurityDescriptor:: """ + desc_base64
2844 self.ldb.modify_ldif(mod)
2845 # Read modified descriptor
2846 res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
2847 desc = res[0]["nTSecurityDescriptor"][0]
2848 desc = ndr_unpack(security.descriptor, desc)
2849 desc_sddl = desc.as_sddl(self.domain_sid)
2850 self.assertEqual(desc_sddl, sddl)
2852 self.delete_force(self.ldb, user_dn)
2855 class BaseDnTests(unittest.TestCase):
2858 super(BaseDnTests, self).setUp()
2861 def test_rootdse_attrs(self):
2862 """Testing for all rootDSE attributes"""
2863 res = self.ldb.search(scope=SCOPE_BASE, attrs=[])
2864 self.assertEquals(len(res), 1)
2866 def test_highestcommittedusn(self):
2867 """Testing for highestCommittedUSN"""
2868 res = self.ldb.search("", scope=SCOPE_BASE, attrs=["highestCommittedUSN"])
2869 self.assertEquals(len(res), 1)
2870 self.assertTrue(int(res[0]["highestCommittedUSN"][0]) != 0)
2872 def test_netlogon(self):
2873 """Testing for netlogon via LDAP"""
2874 res = self.ldb.search("", scope=SCOPE_BASE, attrs=["netlogon"])
2875 self.assertEquals(len(res), 0)
2877 def test_netlogon_highestcommitted_usn(self):
2878 """Testing for netlogon and highestCommittedUSN via LDAP"""
2879 res = self.ldb.search("", scope=SCOPE_BASE,
2880 attrs=["netlogon", "highestCommittedUSN"])
2881 self.assertEquals(len(res), 0)
2883 def test_namingContexts(self):
2884 """Testing for namingContexts in rootDSE"""
2885 res = self.ldb.search("", scope=SCOPE_BASE,
2886 attrs=["namingContexts", "defaultNamingContext", "schemaNamingContext", "configurationNamingContext"])
2887 self.assertEquals(len(res), 1)
2890 for nc in res[0]["namingContexts"]:
2891 self.assertTrue(nc not in ncs)
2894 self.assertTrue(res[0]["defaultNamingContext"][0] in ncs)
2895 self.assertTrue(res[0]["configurationNamingContext"][0] in ncs)
2896 self.assertTrue(res[0]["schemaNamingContext"][0] in ncs)
2898 def test_serverPath(self):
2899 """Testing the server paths in rootDSE"""
2900 res = self.ldb.search("", scope=SCOPE_BASE,
2901 attrs=["dsServiceName", "serverName"])
2902 self.assertEquals(len(res), 1)
2904 self.assertTrue("CN=Servers" in res[0]["dsServiceName"][0])
2905 self.assertTrue("CN=Sites" in res[0]["dsServiceName"][0])
2906 self.assertTrue("CN=NTDS Settings" in res[0]["dsServiceName"][0])
2907 self.assertTrue("CN=Servers" in res[0]["serverName"][0])
2908 self.assertTrue("CN=Sites" in res[0]["serverName"][0])
2909 self.assertFalse("CN=NTDS Settings" in res[0]["serverName"][0])
2911 def test_dnsHostname(self):
2912 """Testing the DNS hostname in rootDSE"""
2913 res = self.ldb.search("", scope=SCOPE_BASE,
2914 attrs=["dnsHostName", "serverName"])
2915 self.assertEquals(len(res), 1)
2917 res2 = self.ldb.search(res[0]["serverName"][0], scope=SCOPE_BASE,
2918 attrs=["dNSHostName"])
2919 self.assertEquals(len(res2), 1)
2921 self.assertEquals(res[0]["dnsHostName"][0], res2[0]["dNSHostName"][0])
2923 def test_ldapServiceName(self):
2924 """Testing the ldap service name in rootDSE"""
2925 res = self.ldb.search("", scope=SCOPE_BASE,
2926 attrs=["ldapServiceName", "dNSHostName"])
2927 self.assertEquals(len(res), 1)
2929 (hostname, _, dns_domainname) = res[0]["dNSHostName"][0].partition(".")
2930 self.assertTrue(":%s$@%s" % (hostname, dns_domainname.upper())
2931 in res[0]["ldapServiceName"][0])
2933 if not "://" in host:
2934 if os.path.isfile(host):
2935 host = "tdb://%s" % host
2937 host = "ldap://%s" % host
2939 ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp)
2940 if not "tdb://" in host:
2941 gc_ldb = Ldb("%s:3268" % host, credentials=creds,
2942 session_info=system_session(), lp=lp)
2946 runner = SubunitTestRunner()
2948 if not runner.run(unittest.makeSuite(BaseDnTests)).wasSuccessful():
2950 if not runner.run(unittest.makeSuite(BasicTests)).wasSuccessful():