2 # -*- coding: utf-8 -*-
3 # This is a port of the original in testprogs/ejs/ldap.js
9 sys.path.append("bin/python")
11 samba.ensure_external_module("testtools", "testtools")
12 samba.ensure_external_module("subunit", "subunit/python")
14 import samba.getopt as options
16 from samba.auth import system_session
17 from ldb import SCOPE_BASE, LdbError
18 from ldb import ERR_NO_SUCH_OBJECT, ERR_ATTRIBUTE_OR_VALUE_EXISTS
19 from ldb import ERR_ENTRY_ALREADY_EXISTS, ERR_UNWILLING_TO_PERFORM
20 from ldb import ERR_OTHER, ERR_NO_SUCH_ATTRIBUTE
21 from ldb import ERR_OBJECT_CLASS_VIOLATION
22 from ldb import ERR_CONSTRAINT_VIOLATION
23 from ldb import ERR_UNDEFINED_ATTRIBUTE_TYPE
24 from ldb import Message, MessageElement, Dn
25 from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE
27 from samba.dsdb import (UF_NORMAL_ACCOUNT,
28 UF_WORKSTATION_TRUST_ACCOUNT, UF_SERVER_TRUST_ACCOUNT,
29 UF_PARTIAL_SECRETS_ACCOUNT, UF_TEMP_DUPLICATE_ACCOUNT,
30 UF_PASSWD_NOTREQD, ATYPE_NORMAL_ACCOUNT,
31 GTYPE_SECURITY_BUILTIN_LOCAL_GROUP, GTYPE_SECURITY_DOMAIN_LOCAL_GROUP,
32 GTYPE_SECURITY_GLOBAL_GROUP, GTYPE_SECURITY_UNIVERSAL_GROUP,
33 GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP, GTYPE_DISTRIBUTION_GLOBAL_GROUP,
34 GTYPE_DISTRIBUTION_UNIVERSAL_GROUP,
35 ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_UNIVERSAL_GROUP,
36 ATYPE_SECURITY_LOCAL_GROUP, ATYPE_DISTRIBUTION_GLOBAL_GROUP,
37 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP, ATYPE_DISTRIBUTION_LOCAL_GROUP,
38 ATYPE_WORKSTATION_TRUST)
39 from samba.dcerpc.security import (DOMAIN_RID_USERS, DOMAIN_RID_DOMAIN_MEMBERS,
40 DOMAIN_RID_DCS, DOMAIN_RID_READONLY_DCS)
42 from subunit.run import SubunitTestRunner
45 from samba.ndr import ndr_unpack
46 from samba.dcerpc import security
48 parser = optparse.OptionParser("sam.py [options] <host>")
49 sambaopts = options.SambaOptions(parser)
50 parser.add_option_group(sambaopts)
51 parser.add_option_group(options.VersionOptions(parser))
52 # use command line creds if available
53 credopts = options.CredentialsOptions(parser)
54 parser.add_option_group(credopts)
55 opts, args = parser.parse_args()
63 lp = sambaopts.get_loadparm()
64 creds = credopts.get_credentials(lp)
66 class SamTests(unittest.TestCase):
68 def delete_force(self, ldb, dn):
71 except LdbError, (num, _):
72 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
74 def find_basedn(self, ldb):
75 res = ldb.search(base="", expression="", scope=SCOPE_BASE,
76 attrs=["defaultNamingContext"])
77 self.assertEquals(len(res), 1)
78 return res[0]["defaultNamingContext"][0]
80 def find_domain_sid(self):
81 res = self.ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE)
82 return ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
85 super(SamTests, self).setUp()
88 self.base_dn = self.find_basedn(ldb)
89 self.domain_sid = self.find_domain_sid()
91 print "baseDN: %s\n" % self.base_dn
93 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
94 self.delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn)
95 self.delete_force(self.ldb, "cn=ldaptest\,specialuser,cn=users," + self.base_dn)
96 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
97 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
98 self.delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
100 def test_users_groups(self):
101 """This tests the SAM users and groups behaviour"""
102 print "Testing users and groups behaviour\n"
105 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
106 "objectclass": "group"})
109 "dn": "cn=ldaptestgroup2,cn=users," + self.base_dn,
110 "objectclass": "group"})
112 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
113 scope=SCOPE_BASE, attrs=["objectSID"])
114 self.assertTrue(len(res1) == 1)
115 group_rid_1 = security.dom_sid(ldb.schema_format_value("objectSID",
116 res1[0]["objectSID"][0])).split()[1]
118 res1 = ldb.search("cn=ldaptestgroup2,cn=users," + self.base_dn,
119 scope=SCOPE_BASE, attrs=["objectSID"])
120 self.assertTrue(len(res1) == 1)
121 group_rid_2 = security.dom_sid(ldb.schema_format_value("objectSID",
122 res1[0]["objectSID"][0])).split()[1]
124 # Try to create a user with an invalid account name
127 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
128 "objectclass": "user",
129 "sAMAccountName": "administrator"})
131 except LdbError, (num, _):
132 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
133 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
135 # Try to create a user with an invalid account name
138 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
139 "objectclass": "user",
140 "sAMAccountName": []})
142 except LdbError, (num, _):
143 self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
144 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
146 # Try to create a user with an invalid primary group
149 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
150 "objectclass": "user",
151 "primaryGroupID": "0"})
153 except LdbError, (num, _):
154 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
155 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
157 # Try to Create a user with a valid primary group
160 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
161 "objectclass": "user",
162 "primaryGroupID": str(group_rid_1)})
164 except LdbError, (num, _):
165 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
166 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
168 # Test to see how we should behave when the user account doesn't
171 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
172 m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE,
177 except LdbError, (num, _):
178 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
180 # Test to see how we should behave when the account isn't a user
182 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
183 m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE,
188 except LdbError, (num, _):
189 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
191 # Test default primary groups on add operations
194 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
195 "objectclass": "user"})
197 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
198 scope=SCOPE_BASE, attrs=["primaryGroupID"])
199 self.assertTrue(len(res1) == 1)
200 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS))
202 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
205 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
206 "objectclass": "user",
207 "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD) })
209 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
210 scope=SCOPE_BASE, attrs=["primaryGroupID"])
211 self.assertTrue(len(res1) == 1)
212 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS))
214 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
216 # unfortunately the INTERDOMAIN_TRUST_ACCOUNT case cannot be tested
217 # since such accounts aren't directly creatable (ACCESS_DENIED)
220 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
221 "objectclass": "computer",
222 "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD) })
224 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
225 scope=SCOPE_BASE, attrs=["primaryGroupID"])
226 self.assertTrue(len(res1) == 1)
227 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DOMAIN_MEMBERS))
229 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
232 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
233 "objectclass": "computer",
234 "userAccountControl": str(UF_SERVER_TRUST_ACCOUNT | UF_PASSWD_NOTREQD) })
236 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
237 scope=SCOPE_BASE, attrs=["primaryGroupID"])
238 self.assertTrue(len(res1) == 1)
239 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DCS))
241 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
243 # Read-only DC accounts are only creatable by
244 # UF_WORKSTATION_TRUST_ACCOUNT and work only on DCs >= 2008 (therefore
245 # we have a fallback in the assertion)
247 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
248 "objectclass": "computer",
249 "userAccountControl": str(UF_PARTIAL_SECRETS_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD) })
251 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
252 scope=SCOPE_BASE, attrs=["primaryGroupID"])
253 self.assertTrue(len(res1) == 1)
254 self.assertTrue(res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_READONLY_DCS) or
255 res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_DOMAIN_MEMBERS))
257 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
259 # Test default primary groups on modify operations
262 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
263 "objectclass": "user"})
266 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
267 m["userAccountControl"] = MessageElement(str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
268 "userAccountControl")
271 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
272 scope=SCOPE_BASE, attrs=["primaryGroupID"])
273 self.assertTrue(len(res1) == 1)
274 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS))
276 # unfortunately the INTERDOMAIN_TRUST_ACCOUNT case cannot be tested
277 # since such accounts aren't directly creatable (ACCESS_DENIED)
279 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
282 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
283 "objectclass": "computer"})
285 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
286 scope=SCOPE_BASE, attrs=["primaryGroupID"])
287 self.assertTrue(len(res1) == 1)
288 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS))
291 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
292 m["userAccountControl"] = MessageElement(str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
293 "userAccountControl")
296 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
297 scope=SCOPE_BASE, attrs=["primaryGroupID"])
298 self.assertTrue(len(res1) == 1)
299 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DOMAIN_MEMBERS))
302 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
303 m["userAccountControl"] = MessageElement(str(UF_SERVER_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
304 "userAccountControl")
307 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
308 scope=SCOPE_BASE, attrs=["primaryGroupID"])
309 self.assertTrue(len(res1) == 1)
310 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DCS))
312 # Read-only DC accounts are only creatable by
313 # UF_WORKSTATION_TRUST_ACCOUNT and work only on DCs >= 2008 (therefore
314 # we have a fallback in the assertion)
316 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
317 m["userAccountControl"] = MessageElement(str(UF_PARTIAL_SECRETS_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
318 "userAccountControl")
321 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
322 scope=SCOPE_BASE, attrs=["primaryGroupID"])
323 self.assertTrue(len(res1) == 1)
324 self.assertTrue(res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_READONLY_DCS) or
325 res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_DOMAIN_MEMBERS))
327 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
329 # Recreate account for further tests
332 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
333 "objectclass": "user"})
335 # Try to set an invalid account name
337 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
338 m["sAMAccountName"] = MessageElement("administrator", FLAG_MOD_REPLACE,
343 except LdbError, (num, _):
344 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
346 # But to reset the actual "sAMAccountName" should still be possible
347 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
348 scope=SCOPE_BASE, attrs=["sAMAccountName"])
349 self.assertTrue(len(res1) == 1)
351 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
352 m["sAMAccountName"] = MessageElement(res1[0]["sAMAccountName"][0], FLAG_MOD_REPLACE,
356 # And another (free) name should be possible as well
358 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
359 m["sAMAccountName"] = MessageElement("xxx_ldaptestuser_xxx", FLAG_MOD_REPLACE,
363 # We should be able to reset our actual primary group
365 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
366 m["primaryGroupID"] = MessageElement(str(DOMAIN_RID_USERS), FLAG_MOD_REPLACE,
370 # Try to add invalid primary group
372 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
373 m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE,
378 except LdbError, (num, _):
379 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
381 # Try to make group 1 primary - should be denied since it is not yet
384 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
385 m["primaryGroupID"] = MessageElement(str(group_rid_1),
386 FLAG_MOD_REPLACE, "primaryGroupID")
390 except LdbError, (num, _):
391 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
393 # Make group 1 secondary
395 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
396 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
397 FLAG_MOD_REPLACE, "member")
400 # Make group 1 primary
402 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
403 m["primaryGroupID"] = MessageElement(str(group_rid_1),
404 FLAG_MOD_REPLACE, "primaryGroupID")
407 # Try to delete group 1 - should be denied
409 ldb.delete("cn=ldaptestgroup,cn=users," + self.base_dn)
411 except LdbError, (num, _):
412 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
414 # Try to add group 1 also as secondary - should be denied
416 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
417 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
418 FLAG_MOD_ADD, "member")
422 except LdbError, (num, _):
423 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
425 # Try to add invalid member to group 1 - should be denied
427 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
428 m["member"] = MessageElement(
429 "cn=ldaptestuser3,cn=users," + self.base_dn,
430 FLAG_MOD_ADD, "member")
434 except LdbError, (num, _):
435 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
437 # Make group 2 secondary
439 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
440 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
441 FLAG_MOD_ADD, "member")
446 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
447 m["primaryGroupID"] = MessageElement(str(group_rid_2),
448 FLAG_MOD_REPLACE, "primaryGroupID")
451 # Swap the groups (does not really make sense but does the same)
453 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
454 m["primaryGroupID"] = MessageElement(str(group_rid_1),
455 FLAG_MOD_REPLACE, "primaryGroupID")
456 m["primaryGroupID"] = MessageElement(str(group_rid_2),
457 FLAG_MOD_REPLACE, "primaryGroupID")
460 # Old primary group should contain a "member" attribute for the user,
461 # the new shouldn't contain anymore one
462 res1 = ldb.search("cn=ldaptestgroup, cn=users," + self.base_dn,
463 scope=SCOPE_BASE, attrs=["member"])
464 self.assertTrue(len(res1) == 1)
465 self.assertTrue(len(res1[0]["member"]) == 1)
466 self.assertEquals(res1[0]["member"][0].lower(),
467 ("cn=ldaptestuser,cn=users," + self.base_dn).lower())
469 res1 = ldb.search("cn=ldaptestgroup2, cn=users," + self.base_dn,
470 scope=SCOPE_BASE, attrs=["member"])
471 self.assertTrue(len(res1) == 1)
472 self.assertFalse("member" in res1[0])
474 # Primary group member
476 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
477 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
478 FLAG_MOD_DELETE, "member")
482 except LdbError, (num, _):
483 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
485 # Delete invalid group member
487 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
488 m["member"] = MessageElement("cn=ldaptestuser1,cn=users," + self.base_dn,
489 FLAG_MOD_DELETE, "member")
493 except LdbError, (num, _):
494 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
496 # Also this should be denied
499 "dn": "cn=ldaptestuser2,cn=users," + self.base_dn,
500 "objectclass": "user",
501 "primaryGroupID": "0"})
503 except LdbError, (num, _):
504 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
506 # Recreate user accounts
508 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
511 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
512 "objectclass": "user"})
515 "dn": "cn=ldaptestuser2,cn=users," + self.base_dn,
516 "objectclass": "user"})
519 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
520 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
521 FLAG_MOD_ADD, "member")
526 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
527 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
528 FLAG_MOD_ADD, "member")
532 except LdbError, (num, _):
533 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
535 # Already added, but as <SID=...>
536 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
537 scope=SCOPE_BASE, attrs=["objectSid"])
538 self.assertTrue(len(res1) == 1)
539 sid_bin = res1[0]["objectSid"][0]
540 sid_str = ("<SID=" + ldb.schema_format_value("objectSid", sid_bin) + ">").upper()
543 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
544 m["member"] = MessageElement(sid_str, FLAG_MOD_ADD, "member")
548 except LdbError, (num, _):
549 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
553 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
554 m["member"] = MessageElement("cn=ldaptestuser1,cn=users," + self.base_dn,
555 FLAG_MOD_REPLACE, "member")
559 except LdbError, (num, _):
560 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
564 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
565 m["member"] = MessageElement(["cn=ldaptestuser,cn=users," + self.base_dn,
566 "cn=ldaptestuser1,cn=users," + self.base_dn],
567 FLAG_MOD_REPLACE, "member")
571 except LdbError, (num, _):
572 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
576 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
577 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
578 FLAG_MOD_REPLACE, "member")
579 m["member"] = MessageElement("cn=ldaptestuser1,cn=users," + self.base_dn,
580 FLAG_MOD_ADD, "member")
584 except LdbError, (num, _):
585 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
588 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
589 m["member"] = MessageElement(["cn=ldaptestuser,cn=users," + self.base_dn,
590 "cn=ldaptestuser2,cn=users," + self.base_dn],
591 FLAG_MOD_REPLACE, "member")
594 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
595 self.delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn)
596 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
597 self.delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
599 # Make also a small test for accounts with special DNs ("," in this case)
601 "dn": "cn=ldaptest\,specialuser,cn=users," + self.base_dn,
602 "objectclass": "user"})
603 self.delete_force(self.ldb, "cn=ldaptest\,specialuser,cn=users," + self.base_dn)
605 def test_sam_attributes(self):
606 """Test the behaviour of special attributes of SAM objects"""
607 print "Testing the behaviour of special attributes of SAM objects\n"""
610 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
611 "objectclass": "user"})
613 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
614 "objectclass": "group"})
617 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
618 m["groupType"] = MessageElement(str(GTYPE_SECURITY_GLOBAL_GROUP), FLAG_MOD_ADD,
623 except LdbError, (num, _):
624 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
627 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
628 m["groupType"] = MessageElement([], FLAG_MOD_DELETE,
633 except LdbError, (num, _):
634 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
637 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
638 m["primaryGroupID"] = MessageElement("513", FLAG_MOD_ADD,
643 except LdbError, (num, _):
644 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
647 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
648 m["primaryGroupID"] = MessageElement([], FLAG_MOD_DELETE,
653 except LdbError, (num, _):
654 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
657 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
658 m["userAccountControl"] = MessageElement(str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_ADD,
659 "userAccountControl")
663 except LdbError, (num, _):
664 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
667 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
668 m["userAccountControl"] = MessageElement([], FLAG_MOD_DELETE,
669 "userAccountControl")
673 except LdbError, (num, _):
674 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
677 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
678 m["objectSid"] = MessageElement("xxxxxxxxxxxxxxxx", FLAG_MOD_ADD,
683 except LdbError, (num, _):
684 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
687 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
688 m["objectSid"] = MessageElement([], FLAG_MOD_REPLACE, "objectSid")
692 except LdbError, (num, _):
693 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
696 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
697 m["objectSid"] = MessageElement([], FLAG_MOD_DELETE, "objectSid")
701 except LdbError, (num, _):
702 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
705 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
706 m["sAMAccountType"] = MessageElement("0", FLAG_MOD_ADD,
711 except LdbError, (num, _):
712 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
715 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
716 m["sAMAccountType"] = MessageElement([], FLAG_MOD_REPLACE,
721 except LdbError, (num, _):
722 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
725 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
726 m["sAMAccountType"] = MessageElement([], FLAG_MOD_DELETE,
731 except LdbError, (num, _):
732 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
735 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
736 m["sAMAccountName"] = MessageElement("test", FLAG_MOD_ADD,
741 except LdbError, (num, _):
742 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
745 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
746 m["sAMAccountName"] = MessageElement([], FLAG_MOD_REPLACE,
751 except LdbError, (num, _):
752 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
755 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
756 m["sAMAccountName"] = MessageElement([], FLAG_MOD_DELETE,
761 except LdbError, (num, _):
762 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
764 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
765 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
767 def test_primary_group_token_constructed(self):
768 """Test the primary group token behaviour (hidden-generated-readonly attribute on groups) and some other constructed attributes"""
769 print "Testing primary group token behaviour and other constructed attributes\n"
773 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
774 "objectclass": "group",
775 "primaryGroupToken": "100"})
777 except LdbError, (num, _):
778 self.assertEquals(num, ERR_UNDEFINED_ATTRIBUTE_TYPE)
779 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
782 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
783 "objectclass": "user"})
786 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
787 "objectclass": "group"})
789 # Testing for one invalid, and one valid operational attribute, but also the things they are built from
790 res1 = ldb.search(self.base_dn,
791 scope=SCOPE_BASE, attrs=["primaryGroupToken", "canonicalName", "objectClass", "objectSid"])
792 self.assertTrue(len(res1) == 1)
793 self.assertFalse("primaryGroupToken" in res1[0])
794 self.assertTrue("canonicalName" in res1[0])
795 self.assertTrue("objectClass" in res1[0])
796 self.assertTrue("objectSid" in res1[0])
798 res1 = ldb.search(self.base_dn,
799 scope=SCOPE_BASE, attrs=["primaryGroupToken", "canonicalName"])
800 self.assertTrue(len(res1) == 1)
801 self.assertFalse("primaryGroupToken" in res1[0])
802 self.assertFalse("objectSid" in res1[0])
803 self.assertFalse("objectClass" in res1[0])
804 self.assertTrue("canonicalName" in res1[0])
806 res1 = ldb.search("cn=users," + self.base_dn,
807 scope=SCOPE_BASE, attrs=["primaryGroupToken"])
808 self.assertTrue(len(res1) == 1)
809 self.assertFalse("primaryGroupToken" in res1[0])
811 res1 = ldb.search("cn=ldaptestuser, cn=users," + self.base_dn,
812 scope=SCOPE_BASE, attrs=["primaryGroupToken"])
813 self.assertTrue(len(res1) == 1)
814 self.assertFalse("primaryGroupToken" in res1[0])
816 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
818 self.assertTrue(len(res1) == 1)
819 self.assertFalse("primaryGroupToken" in res1[0])
821 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
822 scope=SCOPE_BASE, attrs=["primaryGroupToken", "objectSID"])
823 self.assertTrue(len(res1) == 1)
824 primary_group_token = int(res1[0]["primaryGroupToken"][0])
826 rid = security.dom_sid(ldb.schema_format_value("objectSID", res1[0]["objectSID"][0])).split()[1]
827 self.assertEquals(primary_group_token, rid)
830 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
831 m["primaryGroupToken"] = "100"
835 except LdbError, (num, _):
836 self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
838 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
839 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
841 def test_tokenGroups(self):
842 """Test the tokenGroups behaviour (hidden-generated-readonly attribute on SAM objects)"""
843 print "Testing tokenGroups behaviour\n"
845 # The domain object shouldn't contain any "tokenGroups" entry
846 res = ldb.search(self.base_dn, scope=SCOPE_BASE, attrs=["tokenGroups"])
847 self.assertTrue(len(res) == 1)
848 self.assertFalse("tokenGroups" in res[0])
850 # The domain administrator should contain "tokenGroups" entries
851 # (the exact number depends on the domain/forest function level and the
852 # DC software versions)
853 res = ldb.search("cn=Administrator,cn=Users," + self.base_dn,
854 scope=SCOPE_BASE, attrs=["tokenGroups"])
855 self.assertTrue(len(res) == 1)
856 self.assertTrue("tokenGroups" in res[0])
859 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
860 "objectclass": "user"})
862 # This testuser should contain at least two "tokenGroups" entries
863 # (exactly two on an unmodified "Domain Users" and "Users" group)
864 res = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
865 scope=SCOPE_BASE, attrs=["tokenGroups"])
866 self.assertTrue(len(res) == 1)
867 self.assertTrue(len(res[0]["tokenGroups"]) >= 2)
869 # one entry which we need to find should point to domains "Domain Users"
870 # group and another entry should point to the builtin "Users"group
871 domain_users_group_found = False
872 users_group_found = False
873 for sid in res[0]["tokenGroups"]:
874 rid = security.dom_sid(ldb.schema_format_value("objectSID", sid)).split()[1]
876 domain_users_group_found = True
878 users_group_found = True
880 self.assertTrue(domain_users_group_found)
881 self.assertTrue(users_group_found)
883 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
885 def test_groupType(self):
886 """Test the groupType behaviour"""
887 print "Testing groupType behaviour\n"
889 # You can never create or change to a
890 # "GTYPE_SECURITY_BUILTIN_LOCAL_GROUP"
897 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
898 "objectclass": "group",
901 except LdbError, (num, _):
902 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
903 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
907 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
908 "objectclass": "group",
909 "groupType": str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP)})
911 except LdbError, (num, _):
912 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
913 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
916 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
917 "objectclass": "group",
918 "groupType": str(GTYPE_SECURITY_GLOBAL_GROUP)})
920 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
921 scope=SCOPE_BASE, attrs=["sAMAccountType"])
922 self.assertTrue(len(res1) == 1)
923 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
924 ATYPE_SECURITY_GLOBAL_GROUP)
925 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
928 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
929 "objectclass": "group",
930 "groupType": str(GTYPE_SECURITY_UNIVERSAL_GROUP)})
932 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
933 scope=SCOPE_BASE, attrs=["sAMAccountType"])
934 self.assertTrue(len(res1) == 1)
935 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
936 ATYPE_SECURITY_UNIVERSAL_GROUP)
937 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
940 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
941 "objectclass": "group",
942 "groupType": str(GTYPE_SECURITY_DOMAIN_LOCAL_GROUP)})
944 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
945 scope=SCOPE_BASE, attrs=["sAMAccountType"])
946 self.assertTrue(len(res1) == 1)
947 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
948 ATYPE_SECURITY_LOCAL_GROUP)
949 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
952 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
953 "objectclass": "group",
954 "groupType": str(GTYPE_DISTRIBUTION_GLOBAL_GROUP)})
956 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
957 scope=SCOPE_BASE, attrs=["sAMAccountType"])
958 self.assertTrue(len(res1) == 1)
959 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
960 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
961 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
964 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
965 "objectclass": "group",
966 "groupType": str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP)})
968 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
969 scope=SCOPE_BASE, attrs=["sAMAccountType"])
970 self.assertTrue(len(res1) == 1)
971 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
972 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
973 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
976 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
977 "objectclass": "group",
978 "groupType": str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP)})
980 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
981 scope=SCOPE_BASE, attrs=["sAMAccountType"])
982 self.assertTrue(len(res1) == 1)
983 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
984 ATYPE_DISTRIBUTION_LOCAL_GROUP)
985 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
990 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
991 "objectclass": "group"})
993 # We can change in this direction: global <-> universal <-> local
994 # On each step also the group type itself (security/distribution) is
997 # After creation we should have a "security global group"
998 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
999 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1000 self.assertTrue(len(res1) == 1)
1001 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1002 ATYPE_SECURITY_GLOBAL_GROUP)
1007 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1008 m["groupType"] = MessageElement("0",
1009 FLAG_MOD_REPLACE, "groupType")
1012 except LdbError, (num, _):
1013 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1017 # Default is "global group"
1020 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1021 m["groupType"] = MessageElement(
1022 str(GTYPE_SECURITY_GLOBAL_GROUP),
1023 FLAG_MOD_REPLACE, "groupType")
1026 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1027 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1028 self.assertTrue(len(res1) == 1)
1029 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1030 ATYPE_SECURITY_GLOBAL_GROUP)
1032 # Change to "local" (shouldn't work)
1036 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1037 m["groupType"] = MessageElement(
1038 str(GTYPE_SECURITY_DOMAIN_LOCAL_GROUP),
1039 FLAG_MOD_REPLACE, "groupType")
1042 except LdbError, (num, _):
1043 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1045 # Change to "universal"
1048 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1049 m["groupType"] = MessageElement(
1050 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1051 FLAG_MOD_REPLACE, "groupType")
1054 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1055 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1056 self.assertTrue(len(res1) == 1)
1057 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1058 ATYPE_SECURITY_UNIVERSAL_GROUP)
1060 # Change back to "global"
1063 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1064 m["groupType"] = MessageElement(
1065 str(GTYPE_SECURITY_GLOBAL_GROUP),
1066 FLAG_MOD_REPLACE, "groupType")
1069 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1070 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1071 self.assertTrue(len(res1) == 1)
1072 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1073 ATYPE_SECURITY_GLOBAL_GROUP)
1075 # Change back to "universal"
1078 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1079 m["groupType"] = MessageElement(
1080 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1081 FLAG_MOD_REPLACE, "groupType")
1084 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1085 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1086 self.assertTrue(len(res1) == 1)
1087 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1088 ATYPE_SECURITY_UNIVERSAL_GROUP)
1093 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1094 m["groupType"] = MessageElement(
1095 str(GTYPE_SECURITY_DOMAIN_LOCAL_GROUP),
1096 FLAG_MOD_REPLACE, "groupType")
1099 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1100 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1101 self.assertTrue(len(res1) == 1)
1102 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1103 ATYPE_SECURITY_LOCAL_GROUP)
1105 # Change to "global" (shouldn't work)
1109 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1110 m["groupType"] = MessageElement(
1111 str(GTYPE_SECURITY_GLOBAL_GROUP),
1112 FLAG_MOD_REPLACE, "groupType")
1115 except LdbError, (num, _):
1116 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1118 # Change to "builtin local" (shouldn't work)
1122 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1123 m["groupType"] = MessageElement(
1124 str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1125 FLAG_MOD_REPLACE, "groupType")
1128 except LdbError, (num, _):
1129 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1132 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1134 # Change back to "universal"
1137 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1138 m["groupType"] = MessageElement(
1139 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1140 FLAG_MOD_REPLACE, "groupType")
1143 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1144 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1145 self.assertTrue(len(res1) == 1)
1146 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1147 ATYPE_SECURITY_UNIVERSAL_GROUP)
1149 # Change to "builtin local" (shouldn't work)
1153 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1154 m["groupType"] = MessageElement(
1155 str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1156 FLAG_MOD_REPLACE, "groupType")
1159 except LdbError, (num, _):
1160 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1162 # Change back to "global"
1165 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1166 m["groupType"] = MessageElement(
1167 str(GTYPE_SECURITY_GLOBAL_GROUP),
1168 FLAG_MOD_REPLACE, "groupType")
1171 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1172 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1173 self.assertTrue(len(res1) == 1)
1174 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1175 ATYPE_SECURITY_GLOBAL_GROUP)
1177 # Change to "builtin local" (shouldn't work)
1181 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1182 m["groupType"] = MessageElement(
1183 str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1184 FLAG_MOD_REPLACE, "groupType")
1187 except LdbError, (num, _):
1188 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1190 # Distribution groups
1192 # Default is "global group"
1195 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1196 m["groupType"] = MessageElement(
1197 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1198 FLAG_MOD_REPLACE, "groupType")
1201 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1202 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1203 self.assertTrue(len(res1) == 1)
1204 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1205 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1207 # Change to local (shouldn't work)
1211 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1212 m["groupType"] = MessageElement(
1213 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1214 FLAG_MOD_REPLACE, "groupType")
1217 except LdbError, (num, _):
1218 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1220 # Change to "universal"
1223 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1224 m["groupType"] = MessageElement(
1225 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1226 FLAG_MOD_REPLACE, "groupType")
1229 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1230 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1231 self.assertTrue(len(res1) == 1)
1232 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1233 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1235 # Change back to "global"
1238 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1239 m["groupType"] = MessageElement(
1240 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1241 FLAG_MOD_REPLACE, "groupType")
1244 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1245 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1246 self.assertTrue(len(res1) == 1)
1247 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1248 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1250 # Change back to "universal"
1253 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1254 m["groupType"] = MessageElement(
1255 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1256 FLAG_MOD_REPLACE, "groupType")
1259 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1260 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1261 self.assertTrue(len(res1) == 1)
1262 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1263 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1268 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1269 m["groupType"] = MessageElement(
1270 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1271 FLAG_MOD_REPLACE, "groupType")
1274 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1275 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1276 self.assertTrue(len(res1) == 1)
1277 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1278 ATYPE_DISTRIBUTION_LOCAL_GROUP)
1280 # Change to "global" (shouldn't work)
1284 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1285 m["groupType"] = MessageElement(
1286 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1287 FLAG_MOD_REPLACE, "groupType")
1290 except LdbError, (num, _):
1291 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1293 # Change back to "universal"
1295 # Try to add invalid member to group 1 - should be denied
1297 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1298 m["member"] = MessageElement(
1299 "cn=ldaptestuser3,cn=users," + self.base_dn,
1300 FLAG_MOD_ADD, "member")
1304 except LdbError, (num, _):
1305 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
1307 # Make group 2 secondary
1309 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1310 m["groupType"] = MessageElement(
1311 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1312 FLAG_MOD_REPLACE, "groupType")
1315 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1316 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1317 self.assertTrue(len(res1) == 1)
1318 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1319 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1321 # Change back to "global"
1324 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1325 m["groupType"] = MessageElement(
1326 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1327 FLAG_MOD_REPLACE, "groupType")
1330 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1331 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1332 self.assertTrue(len(res1) == 1)
1333 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1334 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1336 # Both group types: this performs only random checks - all possibilities
1337 # would require too much code.
1339 # Default is "global group"
1342 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1343 m["groupType"] = MessageElement(
1344 str(GTYPE_SECURITY_GLOBAL_GROUP),
1345 FLAG_MOD_REPLACE, "groupType")
1348 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1349 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1350 self.assertTrue(len(res1) == 1)
1351 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1352 ATYPE_SECURITY_GLOBAL_GROUP)
1354 # Change to "local" (shouldn't work)
1358 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1359 m["groupType"] = MessageElement(
1360 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1361 FLAG_MOD_REPLACE, "groupType")
1364 except LdbError, (num, _):
1365 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1367 # Change to "universal"
1370 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1371 m["groupType"] = MessageElement(
1372 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1373 FLAG_MOD_REPLACE, "groupType")
1376 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1377 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1378 self.assertTrue(len(res1) == 1)
1379 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1380 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1382 # Change back to "global"
1385 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1386 m["groupType"] = MessageElement(
1387 str(GTYPE_SECURITY_GLOBAL_GROUP),
1388 FLAG_MOD_REPLACE, "groupType")
1391 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1392 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1393 self.assertTrue(len(res1) == 1)
1394 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1395 ATYPE_SECURITY_GLOBAL_GROUP)
1397 # Change back to "universal"
1400 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1401 m["groupType"] = MessageElement(
1402 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1403 FLAG_MOD_REPLACE, "groupType")
1406 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1407 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1408 self.assertTrue(len(res1) == 1)
1409 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1410 ATYPE_SECURITY_UNIVERSAL_GROUP)
1415 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1416 m["groupType"] = MessageElement(
1417 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1418 FLAG_MOD_REPLACE, "groupType")
1421 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1422 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1423 self.assertTrue(len(res1) == 1)
1424 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1425 ATYPE_DISTRIBUTION_LOCAL_GROUP)
1427 # Change to "global" (shouldn't work)
1431 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1432 m["groupType"] = MessageElement(
1433 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1434 FLAG_MOD_REPLACE, "groupType")
1437 except LdbError, (num, _):
1438 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1440 # Change back to "universal"
1443 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1444 m["groupType"] = MessageElement(
1445 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1446 FLAG_MOD_REPLACE, "groupType")
1449 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1450 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1451 self.assertTrue(len(res1) == 1)
1452 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1453 ATYPE_SECURITY_UNIVERSAL_GROUP)
1455 # Change back to "global"
1458 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1459 m["groupType"] = MessageElement(
1460 str(GTYPE_SECURITY_GLOBAL_GROUP),
1461 FLAG_MOD_REPLACE, "groupType")
1464 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1465 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1466 self.assertTrue(len(res1) == 1)
1467 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1468 ATYPE_SECURITY_GLOBAL_GROUP)
1470 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1472 def test_userAccountControl(self):
1473 """Test the userAccountControl behaviour"""
1474 print "Testing userAccountControl behaviour\n"
1476 # With a user object
1480 # As user you can only set a normal account.
1481 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1483 # With SYSTEM rights you can set a interdomain trust account.
1488 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1489 "objectclass": "user",
1490 "userAccountControl": "0"})
1492 except LdbError, (num, _):
1493 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1494 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1496 # This has to wait until s4 supports it (needs a password module change)
1499 # "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1500 # "objectclass": "user",
1501 # "userAccountControl": str(UF_NORMAL_ACCOUNT)})
1503 # except LdbError, (num, _):
1504 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1505 # self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1508 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1509 "objectclass": "user",
1510 "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)})
1512 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1513 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1514 self.assertTrue(len(res1) == 1)
1515 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1516 ATYPE_NORMAL_ACCOUNT)
1517 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1521 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1522 "objectclass": "user",
1523 "userAccountControl": str(UF_TEMP_DUPLICATE_ACCOUNT)})
1525 except LdbError, (num, _):
1526 self.assertEquals(num, ERR_OTHER)
1527 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1529 # This isn't supported yet in s4
1532 # "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1533 # "objectclass": "user",
1534 # "userAccountControl": str(UF_SERVER_TRUST_ACCOUNT)})
1536 # except LdbError, (num, _):
1537 # self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1538 # self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1542 # "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1543 # "objectclass": "user",
1544 # "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT)})
1545 # except LdbError, (num, _):
1546 # self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1547 # self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1549 # This isn't supported yet in s4 - needs ACL module adaption
1552 # "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1553 # "objectclass": "user",
1554 # "userAccountControl": str(UF_INTERDOMAIN_TRUST_ACCOUNT)})
1556 # except LdbError, (num, _):
1557 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1558 # self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1563 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1564 "objectclass": "user"})
1566 # After creation we should have a normal account
1567 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1568 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1569 self.assertTrue(len(res1) == 1)
1570 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1571 ATYPE_NORMAL_ACCOUNT)
1573 # As user you can only switch from a normal account to a workstation
1574 # trust account and back.
1575 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1577 # With SYSTEM rights you can switch to a interdomain trust account.
1582 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1583 m["userAccountControl"] = MessageElement("0",
1584 FLAG_MOD_REPLACE, "userAccountControl")
1586 except LdbError, (num, _):
1587 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1589 # This has to wait until s4 supports it (needs a password module change)
1592 # m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1593 # m["userAccountControl"] = MessageElement(
1594 # str(UF_NORMAL_ACCOUNT),
1595 # FLAG_MOD_REPLACE, "userAccountControl")
1597 # except LdbError, (num, _):
1598 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1601 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1602 m["userAccountControl"] = MessageElement(
1603 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1604 FLAG_MOD_REPLACE, "userAccountControl")
1607 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1608 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1609 self.assertTrue(len(res1) == 1)
1610 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1611 ATYPE_NORMAL_ACCOUNT)
1615 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1616 m["userAccountControl"] = MessageElement(
1617 str(UF_TEMP_DUPLICATE_ACCOUNT),
1618 FLAG_MOD_REPLACE, "userAccountControl")
1621 except LdbError, (num, _):
1622 self.assertEquals(num, ERR_OTHER)
1624 # This isn't supported yet in s4
1627 # m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1628 # m["userAccountControl"] = MessageElement(
1629 # str(UF_SERVER_TRUST_ACCOUNT),
1630 # FLAG_MOD_REPLACE, "userAccountControl")
1633 # except LdbError, (num, _):
1634 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1637 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1638 m["userAccountControl"] = MessageElement(
1639 str(UF_WORKSTATION_TRUST_ACCOUNT),
1640 FLAG_MOD_REPLACE, "userAccountControl")
1643 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1644 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1645 self.assertTrue(len(res1) == 1)
1646 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1647 ATYPE_WORKSTATION_TRUST)
1650 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1651 m["userAccountControl"] = MessageElement(
1652 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1653 FLAG_MOD_REPLACE, "userAccountControl")
1656 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1657 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1658 self.assertTrue(len(res1) == 1)
1659 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1660 ATYPE_NORMAL_ACCOUNT)
1662 # This isn't supported yet in s4 - needs ACL module adaption
1665 # m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1666 # m["userAccountControl"] = MessageElement(
1667 # str(UF_INTERDOMAIN_TRUST_ACCOUNT),
1668 # FLAG_MOD_REPLACE, "userAccountControl")
1671 # except LdbError, (num, _):
1672 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1674 # With a computer object
1678 # As computer you can set a normal account and a server trust account.
1679 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1681 # With SYSTEM rights you can set a interdomain trust account.
1686 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1687 "objectclass": "computer",
1688 "userAccountControl": "0"})
1690 except LdbError, (num, _):
1691 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1692 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1694 # This has to wait until s4 supports it (needs a password module change)
1697 # "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1698 # "objectclass": "computer",
1699 # "userAccountControl": str(UF_NORMAL_ACCOUNT)})
1701 # except LdbError, (num, _):
1702 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1703 # self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1706 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1707 "objectclass": "computer",
1708 "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)})
1710 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1711 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1712 self.assertTrue(len(res1) == 1)
1713 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1714 ATYPE_NORMAL_ACCOUNT)
1715 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1719 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1720 "objectclass": "computer",
1721 "userAccountControl": str(UF_TEMP_DUPLICATE_ACCOUNT)})
1723 except LdbError, (num, _):
1724 self.assertEquals(num, ERR_OTHER)
1725 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1728 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1729 "objectclass": "computer",
1730 "userAccountControl": str(UF_SERVER_TRUST_ACCOUNT)})
1732 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1733 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1734 self.assertTrue(len(res1) == 1)
1735 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1736 ATYPE_WORKSTATION_TRUST)
1737 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1741 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1742 "objectclass": "computer",
1743 "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT)})
1744 except LdbError, (num, _):
1745 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1746 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1748 # This isn't supported yet in s4 - needs ACL module adaption
1751 # "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1752 # "objectclass": "computer",
1753 # "userAccountControl": str(UF_INTERDOMAIN_TRUST_ACCOUNT)})
1755 # except LdbError, (num, _):
1756 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1757 # self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1762 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1763 "objectclass": "computer"})
1765 # After creation we should have a normal account
1766 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1767 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1768 self.assertTrue(len(res1) == 1)
1769 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1770 ATYPE_NORMAL_ACCOUNT)
1772 # As computer you can switch from a normal account to a workstation
1773 # or server trust account and back (also swapping between trust
1774 # accounts is allowed).
1775 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1777 # With SYSTEM rights you can switch to a interdomain trust account.
1782 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1783 m["userAccountControl"] = MessageElement("0",
1784 FLAG_MOD_REPLACE, "userAccountControl")
1786 except LdbError, (num, _):
1787 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1789 # This has to wait until s4 supports it (needs a password module change)
1792 # m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1793 # m["userAccountControl"] = MessageElement(
1794 # str(UF_NORMAL_ACCOUNT),
1795 # FLAG_MOD_REPLACE, "userAccountControl")
1797 # except LdbError, (num, _):
1798 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1801 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1802 m["userAccountControl"] = MessageElement(
1803 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1804 FLAG_MOD_REPLACE, "userAccountControl")
1807 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1808 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1809 self.assertTrue(len(res1) == 1)
1810 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1811 ATYPE_NORMAL_ACCOUNT)
1815 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1816 m["userAccountControl"] = MessageElement(
1817 str(UF_TEMP_DUPLICATE_ACCOUNT),
1818 FLAG_MOD_REPLACE, "userAccountControl")
1821 except LdbError, (num, _):
1822 self.assertEquals(num, ERR_OTHER)
1825 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1826 m["userAccountControl"] = MessageElement(
1827 str(UF_SERVER_TRUST_ACCOUNT),
1828 FLAG_MOD_REPLACE, "userAccountControl")
1831 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1832 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1833 self.assertTrue(len(res1) == 1)
1834 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1835 ATYPE_WORKSTATION_TRUST)
1838 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1839 m["userAccountControl"] = MessageElement(
1840 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1841 FLAG_MOD_REPLACE, "userAccountControl")
1844 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1845 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1846 self.assertTrue(len(res1) == 1)
1847 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1848 ATYPE_NORMAL_ACCOUNT)
1851 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1852 m["userAccountControl"] = MessageElement(
1853 str(UF_WORKSTATION_TRUST_ACCOUNT),
1854 FLAG_MOD_REPLACE, "userAccountControl")
1857 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1858 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1859 self.assertTrue(len(res1) == 1)
1860 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1861 ATYPE_WORKSTATION_TRUST)
1864 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1865 m["userAccountControl"] = MessageElement(
1866 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1867 FLAG_MOD_REPLACE, "userAccountControl")
1870 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1871 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1872 self.assertTrue(len(res1) == 1)
1873 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1874 ATYPE_NORMAL_ACCOUNT)
1877 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1878 m["userAccountControl"] = MessageElement(
1879 str(UF_SERVER_TRUST_ACCOUNT),
1880 FLAG_MOD_REPLACE, "userAccountControl")
1883 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1884 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1885 self.assertTrue(len(res1) == 1)
1886 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1887 ATYPE_WORKSTATION_TRUST)
1890 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1891 m["userAccountControl"] = MessageElement(
1892 str(UF_WORKSTATION_TRUST_ACCOUNT),
1893 FLAG_MOD_REPLACE, "userAccountControl")
1896 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1897 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1898 self.assertTrue(len(res1) == 1)
1899 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1900 ATYPE_WORKSTATION_TRUST)
1902 # This isn't supported yet in s4 - needs ACL module adaption
1905 # m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1906 # m["userAccountControl"] = MessageElement(
1907 # str(UF_INTERDOMAIN_TRUST_ACCOUNT),
1908 # FLAG_MOD_REPLACE, "userAccountControl")
1911 # except LdbError, (num, _):
1912 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1914 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1915 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1917 def test_service_principal_name_updates(self):
1918 """Test the servicePrincipalNames update behaviour"""
1919 print "Testing servicePrincipalNames update behaviour\n"
1922 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1923 "objectclass": "computer",
1924 "dNSHostName": "testname.testdom"})
1926 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1927 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1928 self.assertTrue(len(res) == 1)
1929 self.assertFalse("servicePrincipalName" in res[0])
1931 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1934 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1935 "objectclass": "computer",
1936 "servicePrincipalName": "HOST/testname.testdom"})
1938 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1939 scope=SCOPE_BASE, attrs=["dNSHostName"])
1940 self.assertTrue(len(res) == 1)
1941 self.assertFalse("dNSHostName" in res[0])
1943 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1946 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1947 "objectclass": "computer",
1948 "dNSHostName": "testname2.testdom",
1949 "servicePrincipalName": "HOST/testname.testdom"})
1951 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1952 scope=SCOPE_BASE, attrs=["dNSHostName"])
1953 self.assertTrue(len(res) == 1)
1954 self.assertEquals(res[0]["dNSHostName"][0], "testname2.testdom")
1956 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1957 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1958 self.assertTrue(len(res) == 1)
1959 self.assertEquals(res[0]["servicePrincipalName"][0],
1960 "HOST/testname.testdom")
1963 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1964 m["dNSHostName"] = MessageElement("testname.testdoM",
1965 FLAG_MOD_REPLACE, "dNSHostName")
1968 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1969 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1970 self.assertTrue(len(res) == 1)
1971 self.assertEquals(res[0]["servicePrincipalName"][0],
1972 "HOST/testname.testdom")
1975 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1976 m["dNSHostName"] = MessageElement("testname2.testdom2",
1977 FLAG_MOD_REPLACE, "dNSHostName")
1980 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1981 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1982 self.assertTrue(len(res) == 1)
1983 self.assertEquals(res[0]["servicePrincipalName"][0],
1984 "HOST/testname2.testdom2")
1987 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1988 m["dNSHostName"] = MessageElement([],
1989 FLAG_MOD_DELETE, "dNSHostName")
1992 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1993 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1994 self.assertTrue(len(res) == 1)
1995 self.assertEquals(res[0]["servicePrincipalName"][0],
1996 "HOST/testname2.testdom2")
1999 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2000 m["dNSHostName"] = MessageElement("testname.testdom3",
2001 FLAG_MOD_REPLACE, "dNSHostName")
2004 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2005 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2006 self.assertTrue(len(res) == 1)
2007 self.assertEquals(res[0]["servicePrincipalName"][0],
2008 "HOST/testname2.testdom2")
2011 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2012 m["dNSHostName"] = MessageElement("testname2.testdom2",
2013 FLAG_MOD_REPLACE, "dNSHostName")
2017 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2018 m["dNSHostName"] = MessageElement("testname3.testdom3",
2019 FLAG_MOD_REPLACE, "dNSHostName")
2020 m["servicePrincipalName"] = MessageElement("HOST/testname2.testdom2",
2022 "servicePrincipalName")
2025 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2026 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2027 self.assertTrue(len(res) == 1)
2028 self.assertEquals(res[0]["servicePrincipalName"][0],
2029 "HOST/testname3.testdom3")
2032 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2033 m["servicePrincipalName"] = MessageElement("HOST/testname2.testdom2",
2035 "servicePrincipalName")
2036 m["dNSHostName"] = MessageElement("testname4.testdom4",
2037 FLAG_MOD_REPLACE, "dNSHostName")
2040 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2041 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2042 self.assertTrue(len(res) == 1)
2043 self.assertEquals(res[0]["servicePrincipalName"][0],
2044 "HOST/testname2.testdom2")
2047 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2048 m["servicePrincipalName"] = MessageElement([],
2050 "servicePrincipalName")
2054 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2055 m["dNSHostName"] = MessageElement("testname2.testdom2",
2056 FLAG_MOD_REPLACE, "dNSHostName")
2059 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2060 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2061 self.assertTrue(len(res) == 1)
2062 self.assertFalse("servicePrincipalName" in res[0])
2064 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2067 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
2068 "objectclass": "computer",
2069 "sAMAccountName": "testname$"})
2071 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2072 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2073 self.assertTrue(len(res) == 1)
2074 self.assertFalse("servicePrincipalName" in res[0])
2076 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2079 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
2080 "objectclass": "computer",
2081 "servicePrincipalName": "HOST/testname"})
2083 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2084 scope=SCOPE_BASE, attrs=["sAMAccountName"])
2085 self.assertTrue(len(res) == 1)
2086 self.assertTrue("sAMAccountName" in res[0])
2088 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2091 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
2092 "objectclass": "computer",
2093 "sAMAccountName": "testname$",
2094 "servicePrincipalName": "HOST/testname"})
2096 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2097 scope=SCOPE_BASE, attrs=["sAMAccountName"])
2098 self.assertTrue(len(res) == 1)
2099 self.assertEquals(res[0]["sAMAccountName"][0], "testname$")
2101 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2102 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2103 self.assertTrue(len(res) == 1)
2104 self.assertEquals(res[0]["servicePrincipalName"][0],
2108 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2109 m["sAMAccountName"] = MessageElement("testnamE$",
2110 FLAG_MOD_REPLACE, "sAMAccountName")
2113 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2114 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2115 self.assertTrue(len(res) == 1)
2116 self.assertEquals(res[0]["servicePrincipalName"][0],
2120 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2121 m["sAMAccountName"] = MessageElement("testname",
2122 FLAG_MOD_REPLACE, "sAMAccountName")
2125 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2126 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2127 self.assertTrue(len(res) == 1)
2128 self.assertEquals(res[0]["servicePrincipalName"][0],
2132 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2133 m["sAMAccountName"] = MessageElement("test$name$",
2134 FLAG_MOD_REPLACE, "sAMAccountName")
2137 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2138 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2139 self.assertTrue(len(res) == 1)
2140 self.assertEquals(res[0]["servicePrincipalName"][0],
2144 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2145 m["sAMAccountName"] = MessageElement("testname2",
2146 FLAG_MOD_REPLACE, "sAMAccountName")
2149 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2150 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2151 self.assertTrue(len(res) == 1)
2152 self.assertEquals(res[0]["servicePrincipalName"][0],
2156 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2157 m["sAMAccountName"] = MessageElement("testname3",
2158 FLAG_MOD_REPLACE, "sAMAccountName")
2159 m["servicePrincipalName"] = MessageElement("HOST/testname2",
2161 "servicePrincipalName")
2164 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2165 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2166 self.assertTrue(len(res) == 1)
2167 self.assertEquals(res[0]["servicePrincipalName"][0],
2171 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2172 m["servicePrincipalName"] = MessageElement("HOST/testname2",
2174 "servicePrincipalName")
2175 m["sAMAccountName"] = MessageElement("testname4",
2176 FLAG_MOD_REPLACE, "sAMAccountName")
2179 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2180 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2181 self.assertTrue(len(res) == 1)
2182 self.assertEquals(res[0]["servicePrincipalName"][0],
2186 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2187 m["servicePrincipalName"] = MessageElement([],
2189 "servicePrincipalName")
2193 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2194 m["sAMAccountName"] = MessageElement("testname2",
2195 FLAG_MOD_REPLACE, "sAMAccountName")
2198 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2199 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2200 self.assertTrue(len(res) == 1)
2201 self.assertFalse("servicePrincipalName" in res[0])
2203 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2206 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
2207 "objectclass": "computer",
2208 "dNSHostName": "testname.testdom",
2209 "sAMAccountName": "testname$",
2210 "servicePrincipalName": [ "HOST/testname.testdom", "HOST/testname" ]
2214 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2215 m["dNSHostName"] = MessageElement("testname2.testdom",
2216 FLAG_MOD_REPLACE, "dNSHostName")
2217 m["sAMAccountName"] = MessageElement("testname2$",
2218 FLAG_MOD_REPLACE, "sAMAccountName")
2221 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2222 scope=SCOPE_BASE, attrs=["dNSHostName", "sAMAccountName", "servicePrincipalName"])
2223 self.assertTrue(len(res) == 1)
2224 self.assertEquals(res[0]["dNSHostName"][0], "testname2.testdom")
2225 self.assertEquals(res[0]["sAMAccountName"][0], "testname2$")
2226 self.assertTrue(res[0]["servicePrincipalName"][0] == "HOST/testname2" or
2227 res[0]["servicePrincipalName"][1] == "HOST/testname2")
2228 self.assertTrue(res[0]["servicePrincipalName"][0] == "HOST/testname2.testdom" or
2229 res[0]["servicePrincipalName"][1] == "HOST/testname2.testdom")
2231 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2234 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
2235 "objectclass": "computer",
2236 "dNSHostName": "testname.testdom",
2237 "sAMAccountName": "testname$",
2238 "servicePrincipalName": [ "HOST/testname.testdom", "HOST/testname" ]
2242 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2243 m["sAMAccountName"] = MessageElement("testname2$",
2244 FLAG_MOD_REPLACE, "sAMAccountName")
2245 m["dNSHostName"] = MessageElement("testname2.testdom",
2246 FLAG_MOD_REPLACE, "dNSHostName")
2249 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2250 scope=SCOPE_BASE, attrs=["dNSHostName", "sAMAccountName", "servicePrincipalName"])
2251 self.assertTrue(len(res) == 1)
2252 self.assertEquals(res[0]["dNSHostName"][0], "testname2.testdom")
2253 self.assertEquals(res[0]["sAMAccountName"][0], "testname2$")
2254 self.assertTrue(res[0]["servicePrincipalName"][0] == "HOST/testname2" or
2255 res[0]["servicePrincipalName"][1] == "HOST/testname2")
2256 self.assertTrue(res[0]["servicePrincipalName"][0] == "HOST/testname2.testdom" or
2257 res[0]["servicePrincipalName"][1] == "HOST/testname2.testdom")
2259 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2261 def test_sam_description_attribute(self):
2262 """Test SAM description attribute"""
2263 print "Test SAM description attribute"""
2266 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2267 "description": "desc2",
2268 "objectclass": "group",
2269 "description": "desc1"})
2271 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2272 scope=SCOPE_BASE, attrs=["description"])
2273 self.assertTrue(len(res) == 1)
2274 self.assertTrue("description" in res[0])
2275 self.assertTrue(len(res[0]["description"]) == 1)
2276 self.assertEquals(res[0]["description"][0], "desc1")
2278 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2281 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2282 "objectclass": "group",
2283 "description": ["desc1", "desc2"]})
2285 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2286 scope=SCOPE_BASE, attrs=["description"])
2287 self.assertTrue(len(res) == 1)
2288 self.assertTrue("description" in res[0])
2289 self.assertTrue(len(res[0]["description"]) == 2)
2290 self.assertTrue(res[0]["description"][0] == "desc1" or
2291 res[0]["description"][1] == "desc1")
2292 self.assertTrue(res[0]["description"][0] == "desc2" or
2293 res[0]["description"][1] == "desc2")
2296 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2297 m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE,
2302 except LdbError, (num, _):
2303 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2306 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2307 m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_DELETE,
2311 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2314 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2315 "objectclass": "group" })
2318 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2319 m["description"] = MessageElement("desc1", FLAG_MOD_REPLACE,
2323 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2324 scope=SCOPE_BASE, attrs=["description"])
2325 self.assertTrue(len(res) == 1)
2326 self.assertTrue("description" in res[0])
2327 self.assertTrue(len(res[0]["description"]) == 1)
2328 self.assertEquals(res[0]["description"][0], "desc1")
2330 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2333 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2334 "objectclass": "group",
2335 "description": ["desc1", "desc2"]})
2338 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2339 m["description"] = MessageElement("desc1", FLAG_MOD_REPLACE,
2343 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2344 scope=SCOPE_BASE, attrs=["description"])
2345 self.assertTrue(len(res) == 1)
2346 self.assertTrue("description" in res[0])
2347 self.assertTrue(len(res[0]["description"]) == 1)
2348 self.assertEquals(res[0]["description"][0], "desc1")
2351 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2352 m["description"] = MessageElement("desc3", FLAG_MOD_ADD,
2357 except LdbError, (num, _):
2358 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2361 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2362 m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_DELETE,
2367 except LdbError, (num, _):
2368 self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE)
2371 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2372 m["description"] = MessageElement("desc1", FLAG_MOD_DELETE,
2375 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2376 scope=SCOPE_BASE, attrs=["description"])
2377 self.assertTrue(len(res) == 1)
2378 self.assertFalse("description" in res[0])
2381 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2382 m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE,
2387 except LdbError, (num, _):
2388 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2391 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2392 m["description"] = MessageElement(["desc3", "desc4"], FLAG_MOD_ADD,
2397 except LdbError, (num, _):
2398 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2401 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2402 m["description"] = MessageElement("desc1", FLAG_MOD_ADD,
2406 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2407 scope=SCOPE_BASE, attrs=["description"])
2408 self.assertTrue(len(res) == 1)
2409 self.assertTrue("description" in res[0])
2410 self.assertTrue(len(res[0]["description"]) == 1)
2411 self.assertEquals(res[0]["description"][0], "desc1")
2413 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2416 if not "://" in host:
2417 if os.path.isfile(host):
2418 host = "tdb://%s" % host
2420 host = "ldap://%s" % host
2422 ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp)
2423 if not "tdb://" in host:
2424 gc_ldb = Ldb("%s:3268" % host, credentials=creds,
2425 session_info=system_session(), lp=lp)
2429 runner = SubunitTestRunner()
2431 if not runner.run(unittest.makeSuite(SamTests)).wasSuccessful():