2 # -*- coding: utf-8 -*-
3 # This is a port of the original in testprogs/ejs/ldap.js
11 sys.path.append("bin/python")
13 samba.ensure_external_module("subunit", "subunit/python")
14 samba.ensure_external_module("testtools", "testtools")
16 import samba.getopt as options
18 from samba.auth import system_session
19 from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError
20 from ldb import ERR_NO_SUCH_OBJECT, ERR_ATTRIBUTE_OR_VALUE_EXISTS
21 from ldb import ERR_ENTRY_ALREADY_EXISTS, ERR_UNWILLING_TO_PERFORM
22 from ldb import ERR_NOT_ALLOWED_ON_NON_LEAF, ERR_OTHER, ERR_INVALID_DN_SYNTAX
23 from ldb import ERR_NO_SUCH_ATTRIBUTE
24 from ldb import ERR_OBJECT_CLASS_VIOLATION, ERR_NOT_ALLOWED_ON_RDN
25 from ldb import ERR_NAMING_VIOLATION, ERR_CONSTRAINT_VIOLATION
26 from ldb import ERR_UNDEFINED_ATTRIBUTE_TYPE, ERR_INSUFFICIENT_ACCESS_RIGHTS
27 from ldb import Message, MessageElement, Dn
28 from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE
30 from samba.dsdb import (UF_NORMAL_ACCOUNT, UF_INTERDOMAIN_TRUST_ACCOUNT,
31 UF_WORKSTATION_TRUST_ACCOUNT, UF_SERVER_TRUST_ACCOUNT,
32 UF_PARTIAL_SECRETS_ACCOUNT, UF_TEMP_DUPLICATE_ACCOUNT,
33 UF_PASSWD_NOTREQD, UF_ACCOUNTDISABLE, ATYPE_NORMAL_ACCOUNT,
34 GTYPE_SECURITY_BUILTIN_LOCAL_GROUP, GTYPE_SECURITY_DOMAIN_LOCAL_GROUP,
35 GTYPE_SECURITY_GLOBAL_GROUP, GTYPE_SECURITY_UNIVERSAL_GROUP,
36 GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP, GTYPE_DISTRIBUTION_GLOBAL_GROUP,
37 GTYPE_DISTRIBUTION_UNIVERSAL_GROUP,
38 ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_UNIVERSAL_GROUP,
39 ATYPE_SECURITY_LOCAL_GROUP, ATYPE_DISTRIBUTION_GLOBAL_GROUP,
40 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP, ATYPE_DISTRIBUTION_LOCAL_GROUP,
41 ATYPE_WORKSTATION_TRUST, SYSTEM_FLAG_DOMAIN_DISALLOW_MOVE,
42 SYSTEM_FLAG_CONFIG_ALLOW_RENAME, SYSTEM_FLAG_CONFIG_ALLOW_MOVE,
43 SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVE)
44 from samba.dcerpc.security import (DOMAIN_RID_USERS, DOMAIN_RID_DOMAIN_MEMBERS,
45 DOMAIN_RID_DCS, DOMAIN_RID_READONLY_DCS)
47 from subunit.run import SubunitTestRunner
50 from samba.ndr import ndr_pack, ndr_unpack
51 from samba.dcerpc import security
53 parser = optparse.OptionParser("sam.py [options] <host>")
54 sambaopts = options.SambaOptions(parser)
55 parser.add_option_group(sambaopts)
56 parser.add_option_group(options.VersionOptions(parser))
57 # use command line creds if available
58 credopts = options.CredentialsOptions(parser)
59 parser.add_option_group(credopts)
60 opts, args = parser.parse_args()
68 lp = sambaopts.get_loadparm()
69 creds = credopts.get_credentials(lp)
71 class SamTests(unittest.TestCase):
73 def delete_force(self, ldb, dn):
76 except LdbError, (num, _):
77 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
79 def find_basedn(self, ldb):
80 res = ldb.search(base="", expression="", scope=SCOPE_BASE,
81 attrs=["defaultNamingContext"])
82 self.assertEquals(len(res), 1)
83 return res[0]["defaultNamingContext"][0]
85 def find_domain_sid(self):
86 res = self.ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE)
87 return ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
90 super(SamTests, self).setUp()
93 self.base_dn = self.find_basedn(ldb)
94 self.domain_sid = self.find_domain_sid()
96 print "baseDN: %s\n" % self.base_dn
98 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
99 self.delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn)
100 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
101 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
102 self.delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
104 def test_users_groups(self):
105 """This tests the SAM users and groups behaviour"""
106 print "Testing users and groups behaviour\n"
109 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
110 "objectclass": "group"})
113 "dn": "cn=ldaptestgroup2,cn=users," + self.base_dn,
114 "objectclass": "group"})
116 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
117 scope=SCOPE_BASE, attrs=["objectSID"])
118 self.assertTrue(len(res1) == 1)
119 group_rid_1 = security.dom_sid(ldb.schema_format_value("objectSID",
120 res1[0]["objectSID"][0])).split()[1]
122 res1 = ldb.search("cn=ldaptestgroup2,cn=users," + self.base_dn,
123 scope=SCOPE_BASE, attrs=["objectSID"])
124 self.assertTrue(len(res1) == 1)
125 group_rid_2 = security.dom_sid(ldb.schema_format_value("objectSID",
126 res1[0]["objectSID"][0])).split()[1]
128 # Try to create a user with an invalid account name
131 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
132 "objectclass": ["user", "person"],
133 "sAMAccountName": "administrator"})
135 except LdbError, (num, _):
136 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
137 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
139 # Try to create a user with an invalid primary group
142 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
143 "objectclass": ["user", "person"],
144 "primaryGroupID": "0"})
146 except LdbError, (num, _):
147 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
148 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
150 # Try to Create a user with a valid primary group
153 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
154 "objectclass": ["user", "person"],
155 "primaryGroupID": str(group_rid_1)})
157 except LdbError, (num, _):
158 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
159 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
161 # Test to see how we should behave when the user account doesn't
164 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
165 m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE,
170 except LdbError, (num, _):
171 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
173 # Test to see how we should behave when the account isn't a user
175 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
176 m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE,
181 except LdbError, (num, _):
182 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
184 # Test default primary groups on add operations
187 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
188 "objectclass": ["user", "person"]})
190 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
191 scope=SCOPE_BASE, attrs=["primaryGroupID"])
192 self.assertTrue(len(res1) == 1)
193 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS))
195 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
198 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
199 "objectclass": ["user", "person"],
200 "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD) })
202 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
203 scope=SCOPE_BASE, attrs=["primaryGroupID"])
204 self.assertTrue(len(res1) == 1)
205 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS))
207 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
209 # unfortunately the INTERDOMAIN_TRUST_ACCOUNT case cannot be tested
210 # since such accounts aren't directly creatable (ACCESS_DENIED)
213 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
214 "objectclass": ["computer"],
215 "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD) })
217 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
218 scope=SCOPE_BASE, attrs=["primaryGroupID"])
219 self.assertTrue(len(res1) == 1)
220 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DOMAIN_MEMBERS))
222 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
225 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
226 "objectclass": ["computer"],
227 "userAccountControl": str(UF_SERVER_TRUST_ACCOUNT | UF_PASSWD_NOTREQD) })
229 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
230 scope=SCOPE_BASE, attrs=["primaryGroupID"])
231 self.assertTrue(len(res1) == 1)
232 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DCS))
234 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
236 # Read-only DC accounts are only creatable by
237 # UF_WORKSTATION_TRUST_ACCOUNT and work only on DCs >= 2008 (therefore
238 # we have a fallback in the assertion)
240 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
241 "objectclass": ["computer"],
242 "userAccountControl": str(UF_PARTIAL_SECRETS_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD) })
244 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
245 scope=SCOPE_BASE, attrs=["primaryGroupID"])
246 self.assertTrue(len(res1) == 1)
247 self.assertTrue(res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_READONLY_DCS) or
248 res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_DOMAIN_MEMBERS))
250 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
252 # Test default primary groups on modify operations
255 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
256 "objectclass": ["user", "person"]})
259 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
260 m["userAccountControl"] = MessageElement(str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
261 "userAccountControl")
264 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
265 scope=SCOPE_BASE, attrs=["primaryGroupID"])
266 self.assertTrue(len(res1) == 1)
267 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS))
269 # unfortunately the INTERDOMAIN_TRUST_ACCOUNT case cannot be tested
270 # since such accounts aren't directly creatable (ACCESS_DENIED)
272 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
275 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
276 "objectclass": ["computer"]})
278 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
279 scope=SCOPE_BASE, attrs=["primaryGroupID"])
280 self.assertTrue(len(res1) == 1)
281 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS))
284 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
285 m["userAccountControl"] = MessageElement(str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
286 "userAccountControl")
289 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
290 scope=SCOPE_BASE, attrs=["primaryGroupID"])
291 self.assertTrue(len(res1) == 1)
292 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DOMAIN_MEMBERS))
295 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
296 m["userAccountControl"] = MessageElement(str(UF_SERVER_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
297 "userAccountControl")
300 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
301 scope=SCOPE_BASE, attrs=["primaryGroupID"])
302 self.assertTrue(len(res1) == 1)
303 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DCS))
305 # Read-only DC accounts are only creatable by
306 # UF_WORKSTATION_TRUST_ACCOUNT and work only on DCs >= 2008 (therefore
307 # we have a fallback in the assertion)
309 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
310 m["userAccountControl"] = MessageElement(str(UF_PARTIAL_SECRETS_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
311 "userAccountControl")
314 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
315 scope=SCOPE_BASE, attrs=["primaryGroupID"])
316 self.assertTrue(len(res1) == 1)
317 self.assertTrue(res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_READONLY_DCS) or
318 res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_DOMAIN_MEMBERS))
320 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
322 # Recreate account for further tests
325 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
326 "objectclass": ["user", "person"]})
328 # Try to set an invalid account name
330 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
331 m["sAMAccountName"] = MessageElement("administrator", FLAG_MOD_REPLACE,
336 except LdbError, (num, _):
337 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
339 # But to reset the actual "sAMAccountName" should still be possible
340 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
341 scope=SCOPE_BASE, attrs=["sAMAccountName"])
342 self.assertTrue(len(res1) == 1)
344 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
345 m["sAMAccountName"] = MessageElement(res1[0]["sAMAccountName"][0], FLAG_MOD_REPLACE,
349 # And another (free) name should be possible as well
351 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
352 m["sAMAccountName"] = MessageElement("xxx_ldaptestuser_xxx", FLAG_MOD_REPLACE,
356 # We should be able to reset our actual primary group
358 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
359 m["primaryGroupID"] = MessageElement(str(DOMAIN_RID_USERS), FLAG_MOD_REPLACE,
363 # Try to add invalid primary group
365 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
366 m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE,
371 except LdbError, (num, _):
372 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
374 # Try to make group 1 primary - should be denied since it is not yet
377 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
378 m["primaryGroupID"] = MessageElement(str(group_rid_1),
379 FLAG_MOD_REPLACE, "primaryGroupID")
383 except LdbError, (num, _):
384 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
386 # Make group 1 secondary
388 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
389 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
390 FLAG_MOD_REPLACE, "member")
393 # Make group 1 primary
395 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
396 m["primaryGroupID"] = MessageElement(str(group_rid_1),
397 FLAG_MOD_REPLACE, "primaryGroupID")
400 # Try to delete group 1 - should be denied
402 ldb.delete("cn=ldaptestgroup,cn=users," + self.base_dn)
404 except LdbError, (num, _):
405 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
407 # Try to add group 1 also as secondary - should be denied
409 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
410 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
411 FLAG_MOD_ADD, "member")
415 except LdbError, (num, _):
416 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
418 # Try to add invalid member to group 1 - should be denied
420 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
421 m["member"] = MessageElement(
422 "cn=ldaptestuser3,cn=users," + self.base_dn,
423 FLAG_MOD_ADD, "member")
427 except LdbError, (num, _):
428 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
430 # Make group 2 secondary
432 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
433 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
434 FLAG_MOD_ADD, "member")
439 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
440 m["primaryGroupID"] = MessageElement(str(group_rid_2),
441 FLAG_MOD_REPLACE, "primaryGroupID")
444 # Swap the groups (does not really make sense but does the same)
446 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
447 m["primaryGroupID"] = MessageElement(str(group_rid_1),
448 FLAG_MOD_REPLACE, "primaryGroupID")
449 m["primaryGroupID"] = MessageElement(str(group_rid_2),
450 FLAG_MOD_REPLACE, "primaryGroupID")
453 # Old primary group should contain a "member" attribute for the user,
454 # the new shouldn't contain anymore one
455 res1 = ldb.search("cn=ldaptestgroup, cn=users," + self.base_dn,
456 scope=SCOPE_BASE, attrs=["member"])
457 self.assertTrue(len(res1) == 1)
458 self.assertTrue(len(res1[0]["member"]) == 1)
459 self.assertEquals(res1[0]["member"][0].lower(),
460 ("cn=ldaptestuser,cn=users," + self.base_dn).lower())
462 res1 = ldb.search("cn=ldaptestgroup2, cn=users," + self.base_dn,
463 scope=SCOPE_BASE, attrs=["member"])
464 self.assertTrue(len(res1) == 1)
465 self.assertFalse("member" in res1[0])
467 # Primary group member
469 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
470 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
471 FLAG_MOD_DELETE, "member")
475 except LdbError, (num, _):
476 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
478 # Delete invalid group member
480 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
481 m["member"] = MessageElement("cn=ldaptestuser1,cn=users," + self.base_dn,
482 FLAG_MOD_DELETE, "member")
486 except LdbError, (num, _):
487 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
489 # Also this should be denied
492 "dn": "cn=ldaptestuser2,cn=users," + self.base_dn,
493 "objectclass": ["user", "person"],
494 "primaryGroupID": "0"})
496 except LdbError, (num, _):
497 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
499 # Recreate user accounts
501 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
504 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
505 "objectclass": ["user", "person"]})
508 "dn": "cn=ldaptestuser2,cn=users," + self.base_dn,
509 "objectclass": ["user", "person"]})
512 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
513 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
514 FLAG_MOD_ADD, "member")
519 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
520 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
521 FLAG_MOD_ADD, "member")
525 except LdbError, (num, _):
526 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
530 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
531 m["member"] = MessageElement("cn=ldaptestuser1,cn=users," + self.base_dn,
532 FLAG_MOD_REPLACE, "member")
536 except LdbError, (num, _):
537 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
541 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
542 m["member"] = MessageElement(["cn=ldaptestuser,cn=users," + self.base_dn,
543 "cn=ldaptestuser1,cn=users," + self.base_dn],
544 FLAG_MOD_REPLACE, "member")
548 except LdbError, (num, _):
549 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
553 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
554 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
555 FLAG_MOD_REPLACE, "member")
556 m["member"] = MessageElement("cn=ldaptestuser1,cn=users," + self.base_dn,
557 FLAG_MOD_ADD, "member")
561 except LdbError, (num, _):
562 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
565 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
566 m["member"] = MessageElement(["cn=ldaptestuser,cn=users," + self.base_dn,
567 "cn=ldaptestuser2,cn=users," + self.base_dn],
568 FLAG_MOD_REPLACE, "member")
571 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
572 self.delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn)
573 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
574 self.delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
576 def test_sam_attributes(self):
577 """Test the behaviour of special attributes of SAM objects"""
578 print "Testing the behaviour of special attributes of SAM objects\n"""
581 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
582 "objectclass": ["user", "person"]})
584 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
585 "objectclass": "group"})
588 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
589 m["groupType"] = MessageElement("0", FLAG_MOD_ADD,
594 except LdbError, (num, _):
595 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
598 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
599 m["groupType"] = MessageElement([], FLAG_MOD_DELETE,
604 except LdbError, (num, _):
605 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
608 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
609 m["primaryGroupID"] = MessageElement("0", FLAG_MOD_ADD,
614 except LdbError, (num, _):
615 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
618 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
619 m["primaryGroupID"] = MessageElement([], FLAG_MOD_DELETE,
624 except LdbError, (num, _):
625 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
628 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
629 m["userAccountControl"] = MessageElement("0", FLAG_MOD_ADD,
630 "userAccountControl")
634 except LdbError, (num, _):
635 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
638 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
639 m["userAccountControl"] = MessageElement([], FLAG_MOD_DELETE,
640 "userAccountControl")
644 except LdbError, (num, _):
645 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
648 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
649 m["sAMAccountType"] = MessageElement("0", FLAG_MOD_ADD,
654 except LdbError, (num, _):
655 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
658 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
659 m["sAMAccountType"] = MessageElement([], FLAG_MOD_REPLACE,
664 except LdbError, (num, _):
665 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
668 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
669 m["sAMAccountType"] = MessageElement([], FLAG_MOD_DELETE,
674 except LdbError, (num, _):
675 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
678 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
679 m["sAMAccountName"] = MessageElement("test", FLAG_MOD_ADD,
684 except LdbError, (num, _):
685 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
688 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
689 m["sAMAccountName"] = MessageElement([], FLAG_MOD_DELETE,
694 except LdbError, (num, _):
695 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
697 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
698 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
700 def test_primary_group_token_constructed(self):
701 """Test the primary group token behaviour (hidden-generated-readonly attribute on groups) and some other constructed attributes"""
702 print "Testing primary group token behaviour and other constructed attributes\n"
706 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
707 "objectclass": "group",
708 "primaryGroupToken": "100"})
710 except LdbError, (num, _):
711 self.assertEquals(num, ERR_UNDEFINED_ATTRIBUTE_TYPE)
712 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
715 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
716 "objectclass": ["user", "person"]})
719 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
720 "objectclass": "group"})
722 # Testing for one invalid, and one valid operational attribute, but also the things they are built from
723 res1 = ldb.search(self.base_dn,
724 scope=SCOPE_BASE, attrs=["primaryGroupToken", "canonicalName", "objectClass", "objectSid"])
725 self.assertTrue(len(res1) == 1)
726 self.assertFalse("primaryGroupToken" in res1[0])
727 self.assertTrue("canonicalName" in res1[0])
728 self.assertTrue("objectClass" in res1[0])
729 self.assertTrue("objectSid" in res1[0])
731 res1 = ldb.search(self.base_dn,
732 scope=SCOPE_BASE, attrs=["primaryGroupToken", "canonicalName"])
733 self.assertTrue(len(res1) == 1)
734 self.assertFalse("primaryGroupToken" in res1[0])
735 self.assertFalse("objectSid" in res1[0])
736 self.assertFalse("objectClass" in res1[0])
737 self.assertTrue("canonicalName" in res1[0])
739 res1 = ldb.search("cn=users," + self.base_dn,
740 scope=SCOPE_BASE, attrs=["primaryGroupToken"])
741 self.assertTrue(len(res1) == 1)
742 self.assertFalse("primaryGroupToken" in res1[0])
744 res1 = ldb.search("cn=ldaptestuser, cn=users," + self.base_dn,
745 scope=SCOPE_BASE, attrs=["primaryGroupToken"])
746 self.assertTrue(len(res1) == 1)
747 self.assertFalse("primaryGroupToken" in res1[0])
749 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
751 self.assertTrue(len(res1) == 1)
752 self.assertFalse("primaryGroupToken" in res1[0])
754 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
755 scope=SCOPE_BASE, attrs=["primaryGroupToken", "objectSID"])
756 self.assertTrue(len(res1) == 1)
757 primary_group_token = int(res1[0]["primaryGroupToken"][0])
759 rid = security.dom_sid(ldb.schema_format_value("objectSID", res1[0]["objectSID"][0])).split()[1]
760 self.assertEquals(primary_group_token, rid)
763 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
764 m["primaryGroupToken"] = "100"
768 except LdbError, (num, _):
769 self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
771 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
772 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
774 def test_tokenGroups(self):
775 """Test the tokenGroups behaviour (hidden-generated-readonly attribute on SAM objects)"""
776 print "Testing tokenGroups behaviour\n"
778 # The domain object shouldn't contain any "tokenGroups" entry
779 res = ldb.search(self.base_dn, scope=SCOPE_BASE, attrs=["tokenGroups"])
780 self.assertTrue(len(res) == 1)
781 self.assertFalse("tokenGroups" in res[0])
783 # The domain administrator should contain "tokenGroups" entries
784 # (the exact number depends on the domain/forest function level and the
785 # DC software versions)
786 res = ldb.search("cn=Administrator,cn=Users," + self.base_dn,
787 scope=SCOPE_BASE, attrs=["tokenGroups"])
788 self.assertTrue(len(res) == 1)
789 self.assertTrue("tokenGroups" in res[0])
792 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
793 "objectclass": ["user", "person"]})
795 # This testuser should contain at least two "tokenGroups" entries
796 # (exactly two on an unmodified "Domain Users" and "Users" group)
797 res = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
798 scope=SCOPE_BASE, attrs=["tokenGroups"])
799 self.assertTrue(len(res) == 1)
800 self.assertTrue(len(res[0]["tokenGroups"]) >= 2)
802 # one entry which we need to find should point to domains "Domain Users"
803 # group and another entry should point to the builtin "Users"group
804 domain_users_group_found = False
805 users_group_found = False
806 for sid in res[0]["tokenGroups"]:
807 rid = security.dom_sid(ldb.schema_format_value("objectSID", sid)).split()[1]
809 domain_users_group_found = True
811 users_group_found = True
813 self.assertTrue(domain_users_group_found)
814 self.assertTrue(users_group_found)
816 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
818 def test_groupType(self):
819 """Test the groupType behaviour"""
820 print "Testing groupType behaviour\n"
822 # You can never create or change to a
823 # "GTYPE_SECURITY_BUILTIN_LOCAL_GROUP"
830 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
831 "objectclass": "group",
834 except LdbError, (num, _):
835 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
836 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
840 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
841 "objectclass": "group",
842 "groupType": str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP)})
844 except LdbError, (num, _):
845 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
846 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
849 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
850 "objectclass": "group",
851 "groupType": str(GTYPE_SECURITY_GLOBAL_GROUP)})
853 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
854 scope=SCOPE_BASE, attrs=["sAMAccountType"])
855 self.assertTrue(len(res1) == 1)
856 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
857 ATYPE_SECURITY_GLOBAL_GROUP)
858 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
861 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
862 "objectclass": "group",
863 "groupType": str(GTYPE_SECURITY_UNIVERSAL_GROUP)})
865 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
866 scope=SCOPE_BASE, attrs=["sAMAccountType"])
867 self.assertTrue(len(res1) == 1)
868 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
869 ATYPE_SECURITY_UNIVERSAL_GROUP)
870 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
873 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
874 "objectclass": "group",
875 "groupType": str(GTYPE_SECURITY_DOMAIN_LOCAL_GROUP)})
877 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
878 scope=SCOPE_BASE, attrs=["sAMAccountType"])
879 self.assertTrue(len(res1) == 1)
880 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
881 ATYPE_SECURITY_LOCAL_GROUP)
882 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
885 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
886 "objectclass": "group",
887 "groupType": str(GTYPE_DISTRIBUTION_GLOBAL_GROUP)})
889 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
890 scope=SCOPE_BASE, attrs=["sAMAccountType"])
891 self.assertTrue(len(res1) == 1)
892 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
893 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
894 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
897 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
898 "objectclass": "group",
899 "groupType": str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP)})
901 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
902 scope=SCOPE_BASE, attrs=["sAMAccountType"])
903 self.assertTrue(len(res1) == 1)
904 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
905 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
906 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
909 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
910 "objectclass": "group",
911 "groupType": str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP)})
913 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
914 scope=SCOPE_BASE, attrs=["sAMAccountType"])
915 self.assertTrue(len(res1) == 1)
916 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
917 ATYPE_DISTRIBUTION_LOCAL_GROUP)
918 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
923 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
924 "objectclass": "group"})
926 # We can change in this direction: global <-> universal <-> local
927 # On each step also the group type itself (security/distribution) is
930 # After creation we should have a "security global group"
931 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
932 scope=SCOPE_BASE, attrs=["sAMAccountType"])
933 self.assertTrue(len(res1) == 1)
934 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
935 ATYPE_SECURITY_GLOBAL_GROUP)
940 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
941 m["groupType"] = MessageElement("0",
942 FLAG_MOD_REPLACE, "groupType")
945 except LdbError, (num, _):
946 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
950 # Default is "global group"
953 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
954 m["groupType"] = MessageElement(
955 str(GTYPE_SECURITY_GLOBAL_GROUP),
956 FLAG_MOD_REPLACE, "groupType")
959 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
960 scope=SCOPE_BASE, attrs=["sAMAccountType"])
961 self.assertTrue(len(res1) == 1)
962 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
963 ATYPE_SECURITY_GLOBAL_GROUP)
965 # Change to "local" (shouldn't work)
969 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
970 m["groupType"] = MessageElement(
971 str(GTYPE_SECURITY_DOMAIN_LOCAL_GROUP),
972 FLAG_MOD_REPLACE, "groupType")
975 except LdbError, (num, _):
976 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
978 # Change to "universal"
981 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
982 m["groupType"] = MessageElement(
983 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
984 FLAG_MOD_REPLACE, "groupType")
987 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
988 scope=SCOPE_BASE, attrs=["sAMAccountType"])
989 self.assertTrue(len(res1) == 1)
990 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
991 ATYPE_SECURITY_UNIVERSAL_GROUP)
993 # Change back to "global"
996 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
997 m["groupType"] = MessageElement(
998 str(GTYPE_SECURITY_GLOBAL_GROUP),
999 FLAG_MOD_REPLACE, "groupType")
1002 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1003 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1004 self.assertTrue(len(res1) == 1)
1005 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1006 ATYPE_SECURITY_GLOBAL_GROUP)
1008 # Change back to "universal"
1011 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1012 m["groupType"] = MessageElement(
1013 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1014 FLAG_MOD_REPLACE, "groupType")
1017 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1018 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1019 self.assertTrue(len(res1) == 1)
1020 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1021 ATYPE_SECURITY_UNIVERSAL_GROUP)
1026 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1027 m["groupType"] = MessageElement(
1028 str(GTYPE_SECURITY_DOMAIN_LOCAL_GROUP),
1029 FLAG_MOD_REPLACE, "groupType")
1032 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1033 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1034 self.assertTrue(len(res1) == 1)
1035 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1036 ATYPE_SECURITY_LOCAL_GROUP)
1038 # Change to "global" (shouldn't work)
1042 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1043 m["groupType"] = MessageElement(
1044 str(GTYPE_SECURITY_GLOBAL_GROUP),
1045 FLAG_MOD_REPLACE, "groupType")
1048 except LdbError, (num, _):
1049 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1051 # Change to "builtin local" (shouldn't work)
1055 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1056 m["groupType"] = MessageElement(
1057 str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1058 FLAG_MOD_REPLACE, "groupType")
1061 except LdbError, (num, _):
1062 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1065 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1067 # Change back to "universal"
1070 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1071 m["groupType"] = MessageElement(
1072 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1073 FLAG_MOD_REPLACE, "groupType")
1076 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1077 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1078 self.assertTrue(len(res1) == 1)
1079 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1080 ATYPE_SECURITY_UNIVERSAL_GROUP)
1082 # Change to "builtin local" (shouldn't work)
1086 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1087 m["groupType"] = MessageElement(
1088 str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1089 FLAG_MOD_REPLACE, "groupType")
1092 except LdbError, (num, _):
1093 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1095 # Change back to "global"
1098 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1099 m["groupType"] = MessageElement(
1100 str(GTYPE_SECURITY_GLOBAL_GROUP),
1101 FLAG_MOD_REPLACE, "groupType")
1104 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1105 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1106 self.assertTrue(len(res1) == 1)
1107 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1108 ATYPE_SECURITY_GLOBAL_GROUP)
1110 # Change to "builtin local" (shouldn't work)
1114 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1115 m["groupType"] = MessageElement(
1116 str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1117 FLAG_MOD_REPLACE, "groupType")
1120 except LdbError, (num, _):
1121 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1123 # Distribution groups
1125 # Default is "global group"
1128 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1129 m["groupType"] = MessageElement(
1130 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1131 FLAG_MOD_REPLACE, "groupType")
1134 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1135 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1136 self.assertTrue(len(res1) == 1)
1137 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1138 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1140 # Change to local (shouldn't work)
1144 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1145 m["groupType"] = MessageElement(
1146 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1147 FLAG_MOD_REPLACE, "groupType")
1150 except LdbError, (num, _):
1151 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1153 # Change to "universal"
1156 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1157 m["groupType"] = MessageElement(
1158 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1159 FLAG_MOD_REPLACE, "groupType")
1162 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1163 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1164 self.assertTrue(len(res1) == 1)
1165 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1166 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1168 # Change back to "global"
1171 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1172 m["groupType"] = MessageElement(
1173 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1174 FLAG_MOD_REPLACE, "groupType")
1177 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1178 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1179 self.assertTrue(len(res1) == 1)
1180 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1181 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1183 # Change back to "universal"
1186 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1187 m["groupType"] = MessageElement(
1188 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1189 FLAG_MOD_REPLACE, "groupType")
1192 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1193 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1194 self.assertTrue(len(res1) == 1)
1195 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1196 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1201 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1202 m["groupType"] = MessageElement(
1203 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1204 FLAG_MOD_REPLACE, "groupType")
1207 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1208 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1209 self.assertTrue(len(res1) == 1)
1210 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1211 ATYPE_DISTRIBUTION_LOCAL_GROUP)
1213 # Change to "global" (shouldn't work)
1217 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1218 m["groupType"] = MessageElement(
1219 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1220 FLAG_MOD_REPLACE, "groupType")
1223 except LdbError, (num, _):
1224 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1226 # Change back to "universal"
1228 # Try to add invalid member to group 1 - should be denied
1230 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1231 m["member"] = MessageElement(
1232 "cn=ldaptestuser3,cn=users," + self.base_dn,
1233 FLAG_MOD_ADD, "member")
1237 except LdbError, (num, _):
1238 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
1240 # Make group 2 secondary
1242 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1243 m["groupType"] = MessageElement(
1244 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1245 FLAG_MOD_REPLACE, "groupType")
1248 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1249 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1250 self.assertTrue(len(res1) == 1)
1251 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1252 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1254 # Change back to "global"
1257 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1258 m["groupType"] = MessageElement(
1259 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1260 FLAG_MOD_REPLACE, "groupType")
1263 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1264 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1265 self.assertTrue(len(res1) == 1)
1266 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1267 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1269 # Both group types: this performs only random checks - all possibilities
1270 # would require too much code.
1272 # Default is "global group"
1275 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1276 m["groupType"] = MessageElement(
1277 str(GTYPE_SECURITY_GLOBAL_GROUP),
1278 FLAG_MOD_REPLACE, "groupType")
1281 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1282 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1283 self.assertTrue(len(res1) == 1)
1284 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1285 ATYPE_SECURITY_GLOBAL_GROUP)
1287 # Change to "local" (shouldn't work)
1291 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1292 m["groupType"] = MessageElement(
1293 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1294 FLAG_MOD_REPLACE, "groupType")
1297 except LdbError, (num, _):
1298 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1300 # Change to "universal"
1303 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1304 m["groupType"] = MessageElement(
1305 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1306 FLAG_MOD_REPLACE, "groupType")
1309 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1310 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1311 self.assertTrue(len(res1) == 1)
1312 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1313 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1315 # Change back to "global"
1318 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1319 m["groupType"] = MessageElement(
1320 str(GTYPE_SECURITY_GLOBAL_GROUP),
1321 FLAG_MOD_REPLACE, "groupType")
1324 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1325 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1326 self.assertTrue(len(res1) == 1)
1327 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1328 ATYPE_SECURITY_GLOBAL_GROUP)
1330 # Change back to "universal"
1333 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1334 m["groupType"] = MessageElement(
1335 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1336 FLAG_MOD_REPLACE, "groupType")
1339 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1340 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1341 self.assertTrue(len(res1) == 1)
1342 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1343 ATYPE_SECURITY_UNIVERSAL_GROUP)
1348 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1349 m["groupType"] = MessageElement(
1350 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1351 FLAG_MOD_REPLACE, "groupType")
1354 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1355 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1356 self.assertTrue(len(res1) == 1)
1357 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1358 ATYPE_DISTRIBUTION_LOCAL_GROUP)
1360 # Change to "global" (shouldn't work)
1364 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1365 m["groupType"] = MessageElement(
1366 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1367 FLAG_MOD_REPLACE, "groupType")
1370 except LdbError, (num, _):
1371 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1373 # Change back to "universal"
1376 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1377 m["groupType"] = MessageElement(
1378 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1379 FLAG_MOD_REPLACE, "groupType")
1382 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1383 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1384 self.assertTrue(len(res1) == 1)
1385 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1386 ATYPE_SECURITY_UNIVERSAL_GROUP)
1388 # Change back to "global"
1391 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1392 m["groupType"] = MessageElement(
1393 str(GTYPE_SECURITY_GLOBAL_GROUP),
1394 FLAG_MOD_REPLACE, "groupType")
1397 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1398 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1399 self.assertTrue(len(res1) == 1)
1400 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1401 ATYPE_SECURITY_GLOBAL_GROUP)
1403 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1405 def test_userAccountControl(self):
1406 """Test the userAccountControl behaviour"""
1407 print "Testing userAccountControl behaviour\n"
1409 # With a user object
1413 # As user you can only set a normal account.
1414 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1416 # With SYSTEM rights you can set a interdomain trust account.
1421 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1422 "objectclass": ["user", "person"],
1423 "userAccountControl": "0"})
1425 except LdbError, (num, _):
1426 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1427 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1429 # This has to wait until s4 supports it (needs a password module change)
1432 # "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1433 # "objectclass": ["user", "person"],
1434 # "userAccountControl": str(UF_NORMAL_ACCOUNT)})
1436 # except LdbError, (num, _):
1437 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1438 # self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1441 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1442 "objectclass": ["user", "person"],
1443 "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)})
1445 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1446 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1447 self.assertTrue(len(res1) == 1)
1448 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1449 ATYPE_NORMAL_ACCOUNT)
1450 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1454 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1455 "objectclass": ["user", "person"],
1456 "userAccountControl": str(UF_TEMP_DUPLICATE_ACCOUNT)})
1458 except LdbError, (num, _):
1459 self.assertEquals(num, ERR_OTHER)
1460 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1462 # This isn't supported yet in s4
1465 # "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1466 # "objectclass": ["user", "person"],
1467 # "userAccountControl": str(UF_SERVER_TRUST_ACCOUNT)})
1469 # except LdbError, (num, _):
1470 # self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1471 # self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1475 # "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1476 # "objectclass": ["user", "person"],
1477 # "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT)})
1478 # except LdbError, (num, _):
1479 # self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1480 # self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1482 # This isn't supported yet in s4 - needs ACL module adaption
1485 # "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1486 # "objectclass": ["user", "person"],
1487 # "userAccountControl": str(UF_INTERDOMAIN_TRUST_ACCOUNT)})
1489 # except LdbError, (num, _):
1490 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1491 # self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1496 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1497 "objectclass": ["user", "person"]})
1499 # After creation we should have a normal account
1500 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1501 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1502 self.assertTrue(len(res1) == 1)
1503 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1504 ATYPE_NORMAL_ACCOUNT)
1506 # As user you can only switch from a normal account to a workstation
1507 # trust account and back.
1508 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1510 # With SYSTEM rights you can switch to a interdomain trust account.
1515 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1516 m["userAccountControl"] = MessageElement("0",
1517 FLAG_MOD_REPLACE, "userAccountControl")
1519 except LdbError, (num, _):
1520 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1522 # This has to wait until s4 supports it (needs a password module change)
1525 # m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1526 # m["userAccountControl"] = MessageElement(
1527 # str(UF_NORMAL_ACCOUNT),
1528 # FLAG_MOD_REPLACE, "userAccountControl")
1530 # except LdbError, (num, _):
1531 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1534 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1535 m["userAccountControl"] = MessageElement(
1536 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1537 FLAG_MOD_REPLACE, "userAccountControl")
1540 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1541 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1542 self.assertTrue(len(res1) == 1)
1543 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1544 ATYPE_NORMAL_ACCOUNT)
1548 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1549 m["userAccountControl"] = MessageElement(
1550 str(UF_TEMP_DUPLICATE_ACCOUNT),
1551 FLAG_MOD_REPLACE, "userAccountControl")
1554 except LdbError, (num, _):
1555 self.assertEquals(num, ERR_OTHER)
1557 # This isn't supported yet in s4
1560 # m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1561 # m["userAccountControl"] = MessageElement(
1562 # str(UF_SERVER_TRUST_ACCOUNT),
1563 # FLAG_MOD_REPLACE, "userAccountControl")
1566 # except LdbError, (num, _):
1567 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1570 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1571 m["userAccountControl"] = MessageElement(
1572 str(UF_WORKSTATION_TRUST_ACCOUNT),
1573 FLAG_MOD_REPLACE, "userAccountControl")
1576 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1577 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1578 self.assertTrue(len(res1) == 1)
1579 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1580 ATYPE_WORKSTATION_TRUST)
1583 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1584 m["userAccountControl"] = MessageElement(
1585 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1586 FLAG_MOD_REPLACE, "userAccountControl")
1589 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1590 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1591 self.assertTrue(len(res1) == 1)
1592 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1593 ATYPE_NORMAL_ACCOUNT)
1595 # This isn't supported yet in s4 - needs ACL module adaption
1598 # m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1599 # m["userAccountControl"] = MessageElement(
1600 # str(UF_INTERDOMAIN_TRUST_ACCOUNT),
1601 # FLAG_MOD_REPLACE, "userAccountControl")
1604 # except LdbError, (num, _):
1605 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1607 # With a computer object
1611 # As computer you can set a normal account and a server trust account.
1612 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1614 # With SYSTEM rights you can set a interdomain trust account.
1619 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1620 "objectclass": ["computer"],
1621 "userAccountControl": "0"})
1623 except LdbError, (num, _):
1624 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1625 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1627 # This has to wait until s4 supports it (needs a password module change)
1630 # "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1631 # "objectclass": ["computer"],
1632 # "userAccountControl": str(UF_NORMAL_ACCOUNT)})
1634 # except LdbError, (num, _):
1635 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1636 # self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1639 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1640 "objectclass": ["computer"],
1641 "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)})
1643 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1644 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1645 self.assertTrue(len(res1) == 1)
1646 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1647 ATYPE_NORMAL_ACCOUNT)
1648 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1652 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1653 "objectclass": ["computer"],
1654 "userAccountControl": str(UF_TEMP_DUPLICATE_ACCOUNT)})
1656 except LdbError, (num, _):
1657 self.assertEquals(num, ERR_OTHER)
1658 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1661 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1662 "objectclass": ["computer"],
1663 "userAccountControl": str(UF_SERVER_TRUST_ACCOUNT)})
1665 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1666 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1667 self.assertTrue(len(res1) == 1)
1668 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1669 ATYPE_WORKSTATION_TRUST)
1670 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1674 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1675 "objectclass": ["computer"],
1676 "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT)})
1677 except LdbError, (num, _):
1678 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1679 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1681 # This isn't supported yet in s4 - needs ACL module adaption
1684 # "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1685 # "objectclass": ["computer"],
1686 # "userAccountControl": str(UF_INTERDOMAIN_TRUST_ACCOUNT)})
1688 # except LdbError, (num, _):
1689 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1690 # self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1695 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1696 "objectclass": ["computer"]})
1698 # After creation we should have a normal account
1699 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1700 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1701 self.assertTrue(len(res1) == 1)
1702 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1703 ATYPE_NORMAL_ACCOUNT)
1705 # As computer you can switch from a normal account to a workstation
1706 # or server trust account and back (also swapping between trust
1707 # accounts is allowed).
1708 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1710 # With SYSTEM rights you can switch to a interdomain trust account.
1715 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1716 m["userAccountControl"] = MessageElement("0",
1717 FLAG_MOD_REPLACE, "userAccountControl")
1719 except LdbError, (num, _):
1720 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1722 # This has to wait until s4 supports it (needs a password module change)
1725 # m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1726 # m["userAccountControl"] = MessageElement(
1727 # str(UF_NORMAL_ACCOUNT),
1728 # FLAG_MOD_REPLACE, "userAccountControl")
1730 # except LdbError, (num, _):
1731 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1734 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1735 m["userAccountControl"] = MessageElement(
1736 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1737 FLAG_MOD_REPLACE, "userAccountControl")
1740 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1741 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1742 self.assertTrue(len(res1) == 1)
1743 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1744 ATYPE_NORMAL_ACCOUNT)
1748 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1749 m["userAccountControl"] = MessageElement(
1750 str(UF_TEMP_DUPLICATE_ACCOUNT),
1751 FLAG_MOD_REPLACE, "userAccountControl")
1754 except LdbError, (num, _):
1755 self.assertEquals(num, ERR_OTHER)
1758 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1759 m["userAccountControl"] = MessageElement(
1760 str(UF_SERVER_TRUST_ACCOUNT),
1761 FLAG_MOD_REPLACE, "userAccountControl")
1764 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1765 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1766 self.assertTrue(len(res1) == 1)
1767 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1768 ATYPE_WORKSTATION_TRUST)
1771 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1772 m["userAccountControl"] = MessageElement(
1773 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1774 FLAG_MOD_REPLACE, "userAccountControl")
1777 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1778 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1779 self.assertTrue(len(res1) == 1)
1780 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1781 ATYPE_NORMAL_ACCOUNT)
1784 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1785 m["userAccountControl"] = MessageElement(
1786 str(UF_WORKSTATION_TRUST_ACCOUNT),
1787 FLAG_MOD_REPLACE, "userAccountControl")
1790 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1791 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1792 self.assertTrue(len(res1) == 1)
1793 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1794 ATYPE_WORKSTATION_TRUST)
1797 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1798 m["userAccountControl"] = MessageElement(
1799 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1800 FLAG_MOD_REPLACE, "userAccountControl")
1803 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1804 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1805 self.assertTrue(len(res1) == 1)
1806 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1807 ATYPE_NORMAL_ACCOUNT)
1810 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1811 m["userAccountControl"] = MessageElement(
1812 str(UF_SERVER_TRUST_ACCOUNT),
1813 FLAG_MOD_REPLACE, "userAccountControl")
1816 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1817 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1818 self.assertTrue(len(res1) == 1)
1819 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1820 ATYPE_WORKSTATION_TRUST)
1823 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1824 m["userAccountControl"] = MessageElement(
1825 str(UF_WORKSTATION_TRUST_ACCOUNT),
1826 FLAG_MOD_REPLACE, "userAccountControl")
1829 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1830 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1831 self.assertTrue(len(res1) == 1)
1832 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1833 ATYPE_WORKSTATION_TRUST)
1835 # This isn't supported yet in s4 - needs ACL module adaption
1838 # m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1839 # m["userAccountControl"] = MessageElement(
1840 # str(UF_INTERDOMAIN_TRUST_ACCOUNT),
1841 # FLAG_MOD_REPLACE, "userAccountControl")
1844 # except LdbError, (num, _):
1845 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1847 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1848 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1850 def test_dNSHostName(self):
1851 """Test the dNSHostName behaviour"""
1852 print "Testing dNSHostName behaviour\n"
1855 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1856 "objectclass": "computer",
1857 "dNSHostName": "testname.testdom"})
1859 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1860 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1861 self.assertTrue(len(res) == 1)
1862 self.assertFalse("servicePrincipalName" in res[0])
1864 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1867 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1868 "objectclass": "computer",
1869 "servicePrincipalName": "HOST/testname.testdom"})
1871 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1872 scope=SCOPE_BASE, attrs=["dNSHostName"])
1873 self.assertTrue(len(res) == 1)
1874 self.assertFalse("dNSHostName" in res[0])
1876 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1879 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1880 "objectclass": "computer",
1881 "dNSHostName": "testname2.testdom",
1882 "servicePrincipalName": "HOST/testname.testdom"})
1884 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1885 scope=SCOPE_BASE, attrs=["dNSHostName"])
1886 self.assertTrue(len(res) == 1)
1887 self.assertEquals(res[0]["dNSHostName"][0], "testname2.testdom")
1889 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1890 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1891 self.assertTrue(len(res) == 1)
1892 self.assertEquals(res[0]["servicePrincipalName"][0],
1893 "HOST/testname.testdom")
1896 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1897 m["dNSHostName"] = MessageElement("testname.testdoM",
1898 FLAG_MOD_REPLACE, "dNSHostName")
1901 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1902 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1903 self.assertTrue(len(res) == 1)
1904 self.assertEquals(res[0]["servicePrincipalName"][0],
1905 "HOST/testname.testdom")
1908 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1909 m["dNSHostName"] = MessageElement("testname2.testdom2",
1910 FLAG_MOD_REPLACE, "dNSHostName")
1913 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1914 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1915 self.assertTrue(len(res) == 1)
1916 self.assertEquals(res[0]["servicePrincipalName"][0],
1917 "HOST/testname2.testdom2")
1920 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1921 m["dNSHostName"] = MessageElement([],
1922 FLAG_MOD_DELETE, "dNSHostName")
1925 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1926 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1927 self.assertTrue(len(res) == 1)
1928 self.assertEquals(res[0]["servicePrincipalName"][0],
1929 "HOST/testname2.testdom2")
1932 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1933 m["dNSHostName"] = MessageElement("testname.testdom3",
1934 FLAG_MOD_REPLACE, "dNSHostName")
1937 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1938 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1939 self.assertTrue(len(res) == 1)
1940 self.assertEquals(res[0]["servicePrincipalName"][0],
1941 "HOST/testname2.testdom2")
1944 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1945 m["dNSHostName"] = MessageElement("testname2.testdom2",
1946 FLAG_MOD_REPLACE, "dNSHostName")
1950 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1951 m["dNSHostName"] = MessageElement("testname3.testdom3",
1952 FLAG_MOD_REPLACE, "dNSHostName")
1953 m["servicePrincipalName"] = MessageElement("HOST/testname2.testdom2",
1955 "servicePrincipalName")
1958 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1959 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1960 self.assertTrue(len(res) == 1)
1961 self.assertEquals(res[0]["servicePrincipalName"][0],
1962 "HOST/testname3.testdom3")
1965 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1966 m["servicePrincipalName"] = MessageElement("HOST/testname2.testdom2",
1968 "servicePrincipalName")
1969 m["dNSHostName"] = MessageElement("testname4.testdom4",
1970 FLAG_MOD_REPLACE, "dNSHostName")
1973 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1974 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1975 self.assertTrue(len(res) == 1)
1976 self.assertEquals(res[0]["servicePrincipalName"][0],
1977 "HOST/testname2.testdom2")
1980 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1981 m["servicePrincipalName"] = MessageElement([],
1983 "servicePrincipalName")
1987 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1988 m["dNSHostName"] = MessageElement("testname2.testdom2",
1989 FLAG_MOD_REPLACE, "dNSHostName")
1992 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1993 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1994 self.assertTrue(len(res) == 1)
1995 self.assertFalse("servicePrincipalName" in res[0])
1997 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2000 if not "://" in host:
2001 if os.path.isfile(host):
2002 host = "tdb://%s" % host
2004 host = "ldap://%s" % host
2006 ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp)
2007 if not "tdb://" in host:
2008 gc_ldb = Ldb("%s:3268" % host, credentials=creds,
2009 session_info=system_session(), lp=lp)
2013 runner = SubunitTestRunner()
2015 if not runner.run(unittest.makeSuite(SamTests)).wasSuccessful():