From 056b2abde615aab986e43c41c297edfaf58aaea2 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 11 Apr 2018 22:47:03 +1200 Subject: [PATCH] dsdb: check for dSHeuristics more carefully This check would pass if the dSHeuristics was treated as always being 000000000 for searches which is not enough, we must check for a value of 000000001 (userPassword enabled). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13378 Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall --- .../knownfail.d/dsheuristics_userPassword | 1 - source4/dsdb/tests/python/passwords.py | 31 +++++++++++++++---- 2 files changed, 25 insertions(+), 7 deletions(-) delete mode 100644 selftest/knownfail.d/dsheuristics_userPassword diff --git a/selftest/knownfail.d/dsheuristics_userPassword b/selftest/knownfail.d/dsheuristics_userPassword deleted file mode 100644 index 6981255d9e97..000000000000 --- a/selftest/knownfail.d/dsheuristics_userPassword +++ /dev/null @@ -1 +0,0 @@ -^samba4.ldap.passwords.python\(.*\).__main__.PasswordTests.test_modify_dsheuristics_userPassword diff --git a/source4/dsdb/tests/python/passwords.py b/source4/dsdb/tests/python/passwords.py index c8c2b762a644..bbb8be1d2cac 100755 --- a/source4/dsdb/tests/python/passwords.py +++ b/source4/dsdb/tests/python/passwords.py @@ -985,7 +985,8 @@ userPassword: thatsAcomplPASS4 res = ldb1.search("cn=testuser,cn=users," + self.base_dn, scope=SCOPE_BASE, attrs=["userPassword"]) - # userPassword cannot be read, despite the dsHeuristic setting + # userPassword cannot be read, it wasn't set, instead the + # password was self.assertTrue(len(res) == 1) self.assertFalse("userPassword" in res[0]) @@ -993,7 +994,15 @@ userPassword: thatsAcomplPASS4 ldb2 = SamDB(url=host, session_info=system_session(lp), credentials=creds, lp=lp) - # Set userPassword to be unreadable + res = ldb2.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["userPassword"]) + + # Check on the new connection that userPassword was not stored + # from ldb1 or is not readable + self.assertTrue(len(res) == 1) + self.assertFalse("userPassword" in res[0]) + + # Set userPassword to be readable # This setting does not affect this connection ldb2.set_dsheuristics("000000000") time.sleep(1) @@ -1014,11 +1023,10 @@ userPassword: thatsAcomplPASS4 res = ldb2.search("cn=testuser,cn=users," + self.base_dn, scope=SCOPE_BASE, attrs=["userPassword"]) - # userPassword can be read in this connection - # This is regardless of the current dsHeuristics setting + # Check despite setting it with userPassword support disabled + # on this connection it should still not be readable self.assertTrue(len(res) == 1) - self.assertTrue("userPassword" in res[0]) - self.assertEquals(res[0]["userPassword"][0], "thatsAcomplPASS2") + self.assertFalse("userPassword" in res[0]) # Only password from ldb1 is the user's password creds2 = Credentials() @@ -1050,6 +1058,17 @@ userPassword: thatsAcomplPASS4 # Reset the test "dSHeuristics" (reactivate "userPassword" pwd changes) self.ldb.set_dsheuristics("000000001") + ldb4 = SamDB(url=host, session_info=system_session(lp), + credentials=creds, lp=lp) + + # Check that userPassword that was stored from ldb2 + res = ldb4.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["userPassword"]) + + # userPassword can be not be read + self.assertTrue(len(res) == 1) + self.assertFalse("userPassword" in res[0]) + def test_zero_length(self): # Get the old "minPwdLength" minPwdLength = self.ldb.get_minPwdLength() -- 2.34.1