2 # -*- coding: utf-8 -*-
3 # This is a port of the original in testprogs/ejs/ldap.js
9 sys.path.insert(0, "bin/python")
11 samba.ensure_external_module("testtools", "testtools")
12 samba.ensure_external_module("subunit", "subunit/python")
14 import samba.getopt as options
16 from samba.auth import system_session
17 from ldb import SCOPE_BASE, LdbError
18 from ldb import ERR_NO_SUCH_OBJECT, ERR_ATTRIBUTE_OR_VALUE_EXISTS
19 from ldb import ERR_ENTRY_ALREADY_EXISTS, ERR_UNWILLING_TO_PERFORM
20 from ldb import ERR_OTHER, ERR_NO_SUCH_ATTRIBUTE
21 from ldb import ERR_OBJECT_CLASS_VIOLATION
22 from ldb import ERR_CONSTRAINT_VIOLATION
23 from ldb import ERR_UNDEFINED_ATTRIBUTE_TYPE
24 from ldb import Message, MessageElement, Dn
25 from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE
26 from samba.samdb import SamDB
27 from samba.dsdb import (UF_NORMAL_ACCOUNT, UF_ACCOUNTDISABLE,
28 UF_WORKSTATION_TRUST_ACCOUNT, UF_SERVER_TRUST_ACCOUNT,
29 UF_PARTIAL_SECRETS_ACCOUNT, UF_TEMP_DUPLICATE_ACCOUNT,
30 UF_PASSWD_NOTREQD, ATYPE_NORMAL_ACCOUNT,
31 GTYPE_SECURITY_BUILTIN_LOCAL_GROUP, GTYPE_SECURITY_DOMAIN_LOCAL_GROUP,
32 GTYPE_SECURITY_GLOBAL_GROUP, GTYPE_SECURITY_UNIVERSAL_GROUP,
33 GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP, GTYPE_DISTRIBUTION_GLOBAL_GROUP,
34 GTYPE_DISTRIBUTION_UNIVERSAL_GROUP,
35 ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_UNIVERSAL_GROUP,
36 ATYPE_SECURITY_LOCAL_GROUP, ATYPE_DISTRIBUTION_GLOBAL_GROUP,
37 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP, ATYPE_DISTRIBUTION_LOCAL_GROUP,
38 ATYPE_WORKSTATION_TRUST)
39 from samba.dcerpc.security import (DOMAIN_RID_USERS, DOMAIN_RID_ADMINS,
40 DOMAIN_RID_DOMAIN_MEMBERS, DOMAIN_RID_DCS, DOMAIN_RID_READONLY_DCS)
42 from subunit.run import SubunitTestRunner
45 from samba.dcerpc import security
46 from samba.tests import delete_force
48 parser = optparse.OptionParser("sam.py [options] <host>")
49 sambaopts = options.SambaOptions(parser)
50 parser.add_option_group(sambaopts)
51 parser.add_option_group(options.VersionOptions(parser))
52 # use command line creds if available
53 credopts = options.CredentialsOptions(parser)
54 parser.add_option_group(credopts)
55 opts, args = parser.parse_args()
63 lp = sambaopts.get_loadparm()
64 creds = credopts.get_credentials(lp)
66 class SamTests(samba.tests.TestCase):
69 super(SamTests, self).setUp()
71 self.base_dn = ldb.domain_dn()
73 print "baseDN: %s\n" % self.base_dn
75 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
76 delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn)
77 delete_force(self.ldb, "cn=ldaptest\,specialuser,cn=users," + self.base_dn)
78 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
79 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
80 delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
82 def test_users_groups(self):
83 """This tests the SAM users and groups behaviour"""
84 print "Testing users and groups behaviour\n"
87 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
88 "objectclass": "group"})
91 "dn": "cn=ldaptestgroup2,cn=users," + self.base_dn,
92 "objectclass": "group"})
94 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
95 scope=SCOPE_BASE, attrs=["objectSID"])
96 self.assertTrue(len(res1) == 1)
97 group_rid_1 = security.dom_sid(ldb.schema_format_value("objectSID",
98 res1[0]["objectSID"][0])).split()[1]
100 res1 = ldb.search("cn=ldaptestgroup2,cn=users," + self.base_dn,
101 scope=SCOPE_BASE, attrs=["objectSID"])
102 self.assertTrue(len(res1) == 1)
103 group_rid_2 = security.dom_sid(ldb.schema_format_value("objectSID",
104 res1[0]["objectSID"][0])).split()[1]
106 # Try to create a user with an invalid account name
109 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
110 "objectclass": "user",
111 "sAMAccountName": "administrator"})
113 except LdbError, (num, _):
114 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
115 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
117 # Try to create a user with an invalid account name
120 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
121 "objectclass": "user",
122 "sAMAccountName": []})
124 except LdbError, (num, _):
125 self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
126 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
128 # Try to create a user with an invalid primary group
131 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
132 "objectclass": "user",
133 "primaryGroupID": "0"})
135 except LdbError, (num, _):
136 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
137 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
139 # Try to Create a user with a valid primary group
142 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
143 "objectclass": "user",
144 "primaryGroupID": str(group_rid_1)})
146 except LdbError, (num, _):
147 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
148 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
150 # Test to see how we should behave when the user account doesn't
153 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
154 m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE,
159 except LdbError, (num, _):
160 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
162 # Test to see how we should behave when the account isn't a user
164 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
165 m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE,
170 except LdbError, (num, _):
171 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
173 # Test default primary groups on add operations
176 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
177 "objectclass": "user"})
179 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
180 scope=SCOPE_BASE, attrs=["primaryGroupID"])
181 self.assertTrue(len(res1) == 1)
182 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS))
184 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
187 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
188 "objectclass": "user",
189 "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD) })
191 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
192 scope=SCOPE_BASE, attrs=["primaryGroupID"])
193 self.assertTrue(len(res1) == 1)
194 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS))
196 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
198 # unfortunately the INTERDOMAIN_TRUST_ACCOUNT case cannot be tested
199 # since such accounts aren't directly creatable (ACCESS_DENIED)
202 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
203 "objectclass": "computer",
204 "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD) })
206 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
207 scope=SCOPE_BASE, attrs=["primaryGroupID"])
208 self.assertTrue(len(res1) == 1)
209 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DOMAIN_MEMBERS))
211 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
214 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
215 "objectclass": "computer",
216 "userAccountControl": str(UF_SERVER_TRUST_ACCOUNT | UF_PASSWD_NOTREQD) })
218 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
219 scope=SCOPE_BASE, attrs=["primaryGroupID"])
220 self.assertTrue(len(res1) == 1)
221 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DCS))
223 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
225 # Read-only DC accounts are only creatable by
226 # UF_WORKSTATION_TRUST_ACCOUNT and work only on DCs >= 2008 (therefore
227 # we have a fallback in the assertion)
229 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
230 "objectclass": "computer",
231 "userAccountControl": str(UF_PARTIAL_SECRETS_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD) })
233 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
234 scope=SCOPE_BASE, attrs=["primaryGroupID"])
235 self.assertTrue(len(res1) == 1)
236 self.assertTrue(res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_READONLY_DCS) or
237 res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_DOMAIN_MEMBERS))
239 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
241 # Test default primary groups on modify operations
244 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
245 "objectclass": "user"})
248 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
249 m["userAccountControl"] = MessageElement(str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
250 "userAccountControl")
253 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
254 scope=SCOPE_BASE, attrs=["primaryGroupID"])
255 self.assertTrue(len(res1) == 1)
256 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS))
258 # unfortunately the INTERDOMAIN_TRUST_ACCOUNT case cannot be tested
259 # since such accounts aren't directly creatable (ACCESS_DENIED)
261 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
264 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
265 "objectclass": "computer"})
267 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
268 scope=SCOPE_BASE, attrs=["primaryGroupID"])
269 self.assertTrue(len(res1) == 1)
270 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS))
273 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
274 m["userAccountControl"] = MessageElement(str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
275 "userAccountControl")
278 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
279 scope=SCOPE_BASE, attrs=["primaryGroupID"])
280 self.assertTrue(len(res1) == 1)
281 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DOMAIN_MEMBERS))
284 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
285 m["userAccountControl"] = MessageElement(str(UF_SERVER_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
286 "userAccountControl")
289 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
290 scope=SCOPE_BASE, attrs=["primaryGroupID"])
291 self.assertTrue(len(res1) == 1)
292 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DCS))
294 # Read-only DC accounts are only creatable by
295 # UF_WORKSTATION_TRUST_ACCOUNT and work only on DCs >= 2008 (therefore
296 # we have a fallback in the assertion)
298 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
299 m["userAccountControl"] = MessageElement(str(UF_PARTIAL_SECRETS_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
300 "userAccountControl")
303 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
304 scope=SCOPE_BASE, attrs=["primaryGroupID"])
305 self.assertTrue(len(res1) == 1)
306 self.assertTrue(res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_READONLY_DCS) or
307 res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_DOMAIN_MEMBERS))
309 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
311 # Recreate account for further tests
314 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
315 "objectclass": "user"})
317 # Try to set an invalid account name
319 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
320 m["sAMAccountName"] = MessageElement("administrator", FLAG_MOD_REPLACE,
325 except LdbError, (num, _):
326 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
328 # But to reset the actual "sAMAccountName" should still be possible
329 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
330 scope=SCOPE_BASE, attrs=["sAMAccountName"])
331 self.assertTrue(len(res1) == 1)
333 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
334 m["sAMAccountName"] = MessageElement(res1[0]["sAMAccountName"][0], FLAG_MOD_REPLACE,
338 # And another (free) name should be possible as well
340 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
341 m["sAMAccountName"] = MessageElement("xxx_ldaptestuser_xxx", FLAG_MOD_REPLACE,
345 # We should be able to reset our actual primary group
347 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
348 m["primaryGroupID"] = MessageElement(str(DOMAIN_RID_USERS), FLAG_MOD_REPLACE,
352 # Try to add invalid primary group
354 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
355 m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE,
360 except LdbError, (num, _):
361 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
363 # Try to make group 1 primary - should be denied since it is not yet
366 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
367 m["primaryGroupID"] = MessageElement(str(group_rid_1),
368 FLAG_MOD_REPLACE, "primaryGroupID")
372 except LdbError, (num, _):
373 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
375 # Make group 1 secondary
377 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
378 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
379 FLAG_MOD_REPLACE, "member")
382 # Make group 1 primary
384 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
385 m["primaryGroupID"] = MessageElement(str(group_rid_1),
386 FLAG_MOD_REPLACE, "primaryGroupID")
389 # Try to delete group 1 - should be denied
391 ldb.delete("cn=ldaptestgroup,cn=users," + self.base_dn)
393 except LdbError, (num, _):
394 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
396 # Try to add group 1 also as secondary - should be denied
398 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
399 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
400 FLAG_MOD_ADD, "member")
404 except LdbError, (num, _):
405 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
407 # Try to add invalid member to group 1 - should be denied
409 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
410 m["member"] = MessageElement(
411 "cn=ldaptestuser3,cn=users," + self.base_dn,
412 FLAG_MOD_ADD, "member")
416 except LdbError, (num, _):
417 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
419 # Make group 2 secondary
421 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
422 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
423 FLAG_MOD_ADD, "member")
428 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
429 m["primaryGroupID"] = MessageElement(str(group_rid_2),
430 FLAG_MOD_REPLACE, "primaryGroupID")
433 # Swap the groups (does not really make sense but does the same)
435 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
436 m["primaryGroupID"] = MessageElement(str(group_rid_1),
437 FLAG_MOD_REPLACE, "primaryGroupID")
438 m["primaryGroupID"] = MessageElement(str(group_rid_2),
439 FLAG_MOD_REPLACE, "primaryGroupID")
442 # Old primary group should contain a "member" attribute for the user,
443 # the new shouldn't contain anymore one
444 res1 = ldb.search("cn=ldaptestgroup, cn=users," + self.base_dn,
445 scope=SCOPE_BASE, attrs=["member"])
446 self.assertTrue(len(res1) == 1)
447 self.assertTrue(len(res1[0]["member"]) == 1)
448 self.assertEquals(res1[0]["member"][0].lower(),
449 ("cn=ldaptestuser,cn=users," + self.base_dn).lower())
451 res1 = ldb.search("cn=ldaptestgroup2, cn=users," + self.base_dn,
452 scope=SCOPE_BASE, attrs=["member"])
453 self.assertTrue(len(res1) == 1)
454 self.assertFalse("member" in res1[0])
456 # Primary group member
458 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
459 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
460 FLAG_MOD_DELETE, "member")
464 except LdbError, (num, _):
465 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
467 # Delete invalid group member
469 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
470 m["member"] = MessageElement("cn=ldaptestuser1,cn=users," + self.base_dn,
471 FLAG_MOD_DELETE, "member")
475 except LdbError, (num, _):
476 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
478 # Also this should be denied
481 "dn": "cn=ldaptestuser2,cn=users," + self.base_dn,
482 "objectclass": "user",
483 "primaryGroupID": "0"})
485 except LdbError, (num, _):
486 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
488 # Recreate user accounts
490 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
493 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
494 "objectclass": "user"})
497 "dn": "cn=ldaptestuser2,cn=users," + self.base_dn,
498 "objectclass": "user"})
501 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
502 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
503 FLAG_MOD_ADD, "member")
508 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
509 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
510 FLAG_MOD_ADD, "member")
514 except LdbError, (num, _):
515 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
517 # Already added, but as <SID=...>
518 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
519 scope=SCOPE_BASE, attrs=["objectSid"])
520 self.assertTrue(len(res1) == 1)
521 sid_bin = res1[0]["objectSid"][0]
522 sid_str = ("<SID=" + ldb.schema_format_value("objectSid", sid_bin) + ">").upper()
525 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
526 m["member"] = MessageElement(sid_str, FLAG_MOD_ADD, "member")
530 except LdbError, (num, _):
531 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
535 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
536 m["member"] = MessageElement("cn=ldaptestuser1,cn=users," + self.base_dn,
537 FLAG_MOD_REPLACE, "member")
541 except LdbError, (num, _):
542 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
546 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
547 m["member"] = MessageElement(["cn=ldaptestuser,cn=users," + self.base_dn,
548 "cn=ldaptestuser1,cn=users," + self.base_dn],
549 FLAG_MOD_REPLACE, "member")
553 except LdbError, (num, _):
554 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
558 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
559 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
560 FLAG_MOD_REPLACE, "member")
561 m["member"] = MessageElement("cn=ldaptestuser1,cn=users," + self.base_dn,
562 FLAG_MOD_ADD, "member")
566 except LdbError, (num, _):
567 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
570 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
571 m["member"] = MessageElement(["cn=ldaptestuser,cn=users," + self.base_dn,
572 "cn=ldaptestuser2,cn=users," + self.base_dn],
573 FLAG_MOD_REPLACE, "member")
576 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
577 delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn)
578 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
579 delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
581 # Make also a small test for accounts with special DNs ("," in this case)
583 "dn": "cn=ldaptest\,specialuser,cn=users," + self.base_dn,
584 "objectclass": "user"})
585 delete_force(self.ldb, "cn=ldaptest\,specialuser,cn=users," + self.base_dn)
587 def test_sam_attributes(self):
588 """Test the behaviour of special attributes of SAM objects"""
589 print "Testing the behaviour of special attributes of SAM objects\n"""
592 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
593 "objectclass": "user"})
595 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
596 "objectclass": "group"})
599 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
600 m["groupType"] = MessageElement(str(GTYPE_SECURITY_GLOBAL_GROUP), FLAG_MOD_ADD,
605 except LdbError, (num, _):
606 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
608 # Delete protection tests
610 for attr in ["nTSecurityDescriptor", "objectSid", "sAMAccountType",
611 "sAMAccountName", "groupType"]:
614 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
615 m[attr] = MessageElement([], FLAG_MOD_REPLACE, attr)
619 except LdbError, (num, _):
620 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
623 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
624 m[attr] = MessageElement([], FLAG_MOD_DELETE, attr)
628 except LdbError, (num, _):
629 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
632 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
633 m["primaryGroupID"] = MessageElement("513", FLAG_MOD_ADD,
638 except LdbError, (num, _):
639 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
642 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
643 m["userAccountControl"] = MessageElement(str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_ADD,
644 "userAccountControl")
648 except LdbError, (num, _):
649 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
652 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
653 m["objectSid"] = MessageElement("xxxxxxxxxxxxxxxx", FLAG_MOD_ADD,
658 except LdbError, (num, _):
659 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
662 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
663 m["sAMAccountType"] = MessageElement("0", FLAG_MOD_ADD,
668 except LdbError, (num, _):
669 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
672 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
673 m["sAMAccountName"] = MessageElement("test", FLAG_MOD_ADD,
678 except LdbError, (num, _):
679 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
681 # Delete protection tests
683 for attr in ["nTSecurityDescriptor", "objectSid", "sAMAccountType",
684 "sAMAccountName", "primaryGroupID", "userAccountControl",
685 "accountExpires", "badPasswordTime", "badPwdCount",
686 "codePage", "countryCode", "lastLogoff", "lastLogon",
687 "logonCount", "pwdLastSet"]:
690 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
691 m[attr] = MessageElement([], FLAG_MOD_REPLACE, attr)
695 except LdbError, (num, _):
696 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
699 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
700 m[attr] = MessageElement([], FLAG_MOD_DELETE, attr)
704 except LdbError, (num, _):
705 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
707 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
708 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
710 def test_primary_group_token_constructed(self):
711 """Test the primary group token behaviour (hidden-generated-readonly attribute on groups) and some other constructed attributes"""
712 print "Testing primary group token behaviour and other constructed attributes\n"
716 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
717 "objectclass": "group",
718 "primaryGroupToken": "100"})
720 except LdbError, (num, _):
721 self.assertEquals(num, ERR_UNDEFINED_ATTRIBUTE_TYPE)
722 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
725 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
726 "objectclass": "user"})
729 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
730 "objectclass": "group"})
732 # Testing for one invalid, and one valid operational attribute, but also the things they are built from
733 res1 = ldb.search(self.base_dn,
734 scope=SCOPE_BASE, attrs=["primaryGroupToken", "canonicalName", "objectClass", "objectSid"])
735 self.assertTrue(len(res1) == 1)
736 self.assertFalse("primaryGroupToken" in res1[0])
737 self.assertTrue("canonicalName" in res1[0])
738 self.assertTrue("objectClass" in res1[0])
739 self.assertTrue("objectSid" in res1[0])
741 res1 = ldb.search(self.base_dn,
742 scope=SCOPE_BASE, attrs=["primaryGroupToken", "canonicalName"])
743 self.assertTrue(len(res1) == 1)
744 self.assertFalse("primaryGroupToken" in res1[0])
745 self.assertFalse("objectSid" in res1[0])
746 self.assertFalse("objectClass" in res1[0])
747 self.assertTrue("canonicalName" in res1[0])
749 res1 = ldb.search("cn=users," + self.base_dn,
750 scope=SCOPE_BASE, attrs=["primaryGroupToken"])
751 self.assertTrue(len(res1) == 1)
752 self.assertFalse("primaryGroupToken" in res1[0])
754 res1 = ldb.search("cn=ldaptestuser, cn=users," + self.base_dn,
755 scope=SCOPE_BASE, attrs=["primaryGroupToken"])
756 self.assertTrue(len(res1) == 1)
757 self.assertFalse("primaryGroupToken" in res1[0])
759 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
761 self.assertTrue(len(res1) == 1)
762 self.assertFalse("primaryGroupToken" in res1[0])
764 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
765 scope=SCOPE_BASE, attrs=["primaryGroupToken", "objectSID"])
766 self.assertTrue(len(res1) == 1)
767 primary_group_token = int(res1[0]["primaryGroupToken"][0])
769 rid = security.dom_sid(ldb.schema_format_value("objectSID", res1[0]["objectSID"][0])).split()[1]
770 self.assertEquals(primary_group_token, rid)
773 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
774 m["primaryGroupToken"] = "100"
778 except LdbError, (num, _):
779 self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
781 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
782 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
784 def test_tokenGroups(self):
785 """Test the tokenGroups behaviour (hidden-generated-readonly attribute on SAM objects)"""
786 print "Testing tokenGroups behaviour\n"
788 # The domain object shouldn't contain any "tokenGroups" entry
789 res = ldb.search(self.base_dn, scope=SCOPE_BASE, attrs=["tokenGroups"])
790 self.assertTrue(len(res) == 1)
791 self.assertFalse("tokenGroups" in res[0])
793 # The domain administrator should contain "tokenGroups" entries
794 # (the exact number depends on the domain/forest function level and the
795 # DC software versions)
796 res = ldb.search("cn=Administrator,cn=Users," + self.base_dn,
797 scope=SCOPE_BASE, attrs=["tokenGroups"])
798 self.assertTrue(len(res) == 1)
799 self.assertTrue("tokenGroups" in res[0])
802 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
803 "objectclass": "user"})
805 # This testuser should contain at least two "tokenGroups" entries
806 # (exactly two on an unmodified "Domain Users" and "Users" group)
807 res = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
808 scope=SCOPE_BASE, attrs=["tokenGroups"])
809 self.assertTrue(len(res) == 1)
810 self.assertTrue(len(res[0]["tokenGroups"]) >= 2)
812 # one entry which we need to find should point to domains "Domain Users"
813 # group and another entry should point to the builtin "Users"group
814 domain_users_group_found = False
815 users_group_found = False
816 for sid in res[0]["tokenGroups"]:
817 rid = security.dom_sid(ldb.schema_format_value("objectSID", sid)).split()[1]
819 domain_users_group_found = True
821 users_group_found = True
823 self.assertTrue(domain_users_group_found)
824 self.assertTrue(users_group_found)
826 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
828 def test_groupType(self):
829 """Test the groupType behaviour"""
830 print "Testing groupType behaviour\n"
832 # You can never create or change to a
833 # "GTYPE_SECURITY_BUILTIN_LOCAL_GROUP"
840 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
841 "objectclass": "group",
844 except LdbError, (num, _):
845 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
846 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
850 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
851 "objectclass": "group",
852 "groupType": str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP)})
854 except LdbError, (num, _):
855 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
856 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
859 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
860 "objectclass": "group",
861 "groupType": str(GTYPE_SECURITY_GLOBAL_GROUP)})
863 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
864 scope=SCOPE_BASE, attrs=["sAMAccountType"])
865 self.assertTrue(len(res1) == 1)
866 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
867 ATYPE_SECURITY_GLOBAL_GROUP)
868 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
871 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
872 "objectclass": "group",
873 "groupType": str(GTYPE_SECURITY_UNIVERSAL_GROUP)})
875 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
876 scope=SCOPE_BASE, attrs=["sAMAccountType"])
877 self.assertTrue(len(res1) == 1)
878 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
879 ATYPE_SECURITY_UNIVERSAL_GROUP)
880 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
883 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
884 "objectclass": "group",
885 "groupType": str(GTYPE_SECURITY_DOMAIN_LOCAL_GROUP)})
887 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
888 scope=SCOPE_BASE, attrs=["sAMAccountType"])
889 self.assertTrue(len(res1) == 1)
890 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
891 ATYPE_SECURITY_LOCAL_GROUP)
892 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
895 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
896 "objectclass": "group",
897 "groupType": str(GTYPE_DISTRIBUTION_GLOBAL_GROUP)})
899 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
900 scope=SCOPE_BASE, attrs=["sAMAccountType"])
901 self.assertTrue(len(res1) == 1)
902 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
903 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
904 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
907 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
908 "objectclass": "group",
909 "groupType": str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP)})
911 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
912 scope=SCOPE_BASE, attrs=["sAMAccountType"])
913 self.assertTrue(len(res1) == 1)
914 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
915 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
916 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
919 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
920 "objectclass": "group",
921 "groupType": str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP)})
923 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
924 scope=SCOPE_BASE, attrs=["sAMAccountType"])
925 self.assertTrue(len(res1) == 1)
926 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
927 ATYPE_DISTRIBUTION_LOCAL_GROUP)
928 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
933 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
934 "objectclass": "group"})
936 # We can change in this direction: global <-> universal <-> local
937 # On each step also the group type itself (security/distribution) is
940 # After creation we should have a "security global group"
941 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
942 scope=SCOPE_BASE, attrs=["sAMAccountType"])
943 self.assertTrue(len(res1) == 1)
944 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
945 ATYPE_SECURITY_GLOBAL_GROUP)
950 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
951 m["groupType"] = MessageElement("0",
952 FLAG_MOD_REPLACE, "groupType")
955 except LdbError, (num, _):
956 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
960 # Default is "global group"
963 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
964 m["groupType"] = MessageElement(
965 str(GTYPE_SECURITY_GLOBAL_GROUP),
966 FLAG_MOD_REPLACE, "groupType")
969 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
970 scope=SCOPE_BASE, attrs=["sAMAccountType"])
971 self.assertTrue(len(res1) == 1)
972 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
973 ATYPE_SECURITY_GLOBAL_GROUP)
975 # Change to "local" (shouldn't work)
979 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
980 m["groupType"] = MessageElement(
981 str(GTYPE_SECURITY_DOMAIN_LOCAL_GROUP),
982 FLAG_MOD_REPLACE, "groupType")
985 except LdbError, (num, _):
986 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
988 # Change to "universal"
991 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
992 m["groupType"] = MessageElement(
993 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
994 FLAG_MOD_REPLACE, "groupType")
997 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
998 scope=SCOPE_BASE, attrs=["sAMAccountType"])
999 self.assertTrue(len(res1) == 1)
1000 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1001 ATYPE_SECURITY_UNIVERSAL_GROUP)
1003 # Change back to "global"
1006 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1007 m["groupType"] = MessageElement(
1008 str(GTYPE_SECURITY_GLOBAL_GROUP),
1009 FLAG_MOD_REPLACE, "groupType")
1012 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1013 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1014 self.assertTrue(len(res1) == 1)
1015 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1016 ATYPE_SECURITY_GLOBAL_GROUP)
1018 # Change back to "universal"
1021 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1022 m["groupType"] = MessageElement(
1023 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1024 FLAG_MOD_REPLACE, "groupType")
1027 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1028 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1029 self.assertTrue(len(res1) == 1)
1030 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1031 ATYPE_SECURITY_UNIVERSAL_GROUP)
1036 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1037 m["groupType"] = MessageElement(
1038 str(GTYPE_SECURITY_DOMAIN_LOCAL_GROUP),
1039 FLAG_MOD_REPLACE, "groupType")
1042 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1043 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1044 self.assertTrue(len(res1) == 1)
1045 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1046 ATYPE_SECURITY_LOCAL_GROUP)
1048 # Change to "global" (shouldn't work)
1052 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1053 m["groupType"] = MessageElement(
1054 str(GTYPE_SECURITY_GLOBAL_GROUP),
1055 FLAG_MOD_REPLACE, "groupType")
1058 except LdbError, (num, _):
1059 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1061 # Change to "builtin local" (shouldn't work)
1065 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1066 m["groupType"] = MessageElement(
1067 str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1068 FLAG_MOD_REPLACE, "groupType")
1071 except LdbError, (num, _):
1072 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1075 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1077 # Change back to "universal"
1080 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1081 m["groupType"] = MessageElement(
1082 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1083 FLAG_MOD_REPLACE, "groupType")
1086 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1087 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1088 self.assertTrue(len(res1) == 1)
1089 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1090 ATYPE_SECURITY_UNIVERSAL_GROUP)
1092 # Change to "builtin local" (shouldn't work)
1096 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1097 m["groupType"] = MessageElement(
1098 str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1099 FLAG_MOD_REPLACE, "groupType")
1102 except LdbError, (num, _):
1103 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1105 # Change back to "global"
1108 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1109 m["groupType"] = MessageElement(
1110 str(GTYPE_SECURITY_GLOBAL_GROUP),
1111 FLAG_MOD_REPLACE, "groupType")
1114 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1115 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1116 self.assertTrue(len(res1) == 1)
1117 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1118 ATYPE_SECURITY_GLOBAL_GROUP)
1120 # Change to "builtin local" (shouldn't work)
1124 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1125 m["groupType"] = MessageElement(
1126 str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1127 FLAG_MOD_REPLACE, "groupType")
1130 except LdbError, (num, _):
1131 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1133 # Distribution groups
1135 # Default is "global group"
1138 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1139 m["groupType"] = MessageElement(
1140 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1141 FLAG_MOD_REPLACE, "groupType")
1144 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1145 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1146 self.assertTrue(len(res1) == 1)
1147 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1148 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1150 # Change to local (shouldn't work)
1154 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1155 m["groupType"] = MessageElement(
1156 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1157 FLAG_MOD_REPLACE, "groupType")
1160 except LdbError, (num, _):
1161 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1163 # Change to "universal"
1166 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1167 m["groupType"] = MessageElement(
1168 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1169 FLAG_MOD_REPLACE, "groupType")
1172 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1173 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1174 self.assertTrue(len(res1) == 1)
1175 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1176 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1178 # Change back to "global"
1181 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1182 m["groupType"] = MessageElement(
1183 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1184 FLAG_MOD_REPLACE, "groupType")
1187 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1188 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1189 self.assertTrue(len(res1) == 1)
1190 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1191 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1193 # Change back to "universal"
1196 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1197 m["groupType"] = MessageElement(
1198 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1199 FLAG_MOD_REPLACE, "groupType")
1202 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1203 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1204 self.assertTrue(len(res1) == 1)
1205 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1206 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1211 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1212 m["groupType"] = MessageElement(
1213 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1214 FLAG_MOD_REPLACE, "groupType")
1217 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1218 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1219 self.assertTrue(len(res1) == 1)
1220 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1221 ATYPE_DISTRIBUTION_LOCAL_GROUP)
1223 # Change to "global" (shouldn't work)
1227 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1228 m["groupType"] = MessageElement(
1229 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1230 FLAG_MOD_REPLACE, "groupType")
1233 except LdbError, (num, _):
1234 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1236 # Change back to "universal"
1238 # Try to add invalid member to group 1 - should be denied
1240 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1241 m["member"] = MessageElement(
1242 "cn=ldaptestuser3,cn=users," + self.base_dn,
1243 FLAG_MOD_ADD, "member")
1247 except LdbError, (num, _):
1248 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
1250 # Make group 2 secondary
1252 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1253 m["groupType"] = MessageElement(
1254 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1255 FLAG_MOD_REPLACE, "groupType")
1258 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1259 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1260 self.assertTrue(len(res1) == 1)
1261 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1262 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1264 # Change back to "global"
1267 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1268 m["groupType"] = MessageElement(
1269 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1270 FLAG_MOD_REPLACE, "groupType")
1273 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1274 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1275 self.assertTrue(len(res1) == 1)
1276 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1277 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1279 # Both group types: this performs only random checks - all possibilities
1280 # would require too much code.
1282 # Default is "global group"
1285 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1286 m["groupType"] = MessageElement(
1287 str(GTYPE_SECURITY_GLOBAL_GROUP),
1288 FLAG_MOD_REPLACE, "groupType")
1291 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1292 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1293 self.assertTrue(len(res1) == 1)
1294 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1295 ATYPE_SECURITY_GLOBAL_GROUP)
1297 # Change to "local" (shouldn't work)
1301 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1302 m["groupType"] = MessageElement(
1303 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1304 FLAG_MOD_REPLACE, "groupType")
1307 except LdbError, (num, _):
1308 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1310 # Change to "universal"
1313 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1314 m["groupType"] = MessageElement(
1315 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1316 FLAG_MOD_REPLACE, "groupType")
1319 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1320 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1321 self.assertTrue(len(res1) == 1)
1322 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1323 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1325 # Change back to "global"
1328 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1329 m["groupType"] = MessageElement(
1330 str(GTYPE_SECURITY_GLOBAL_GROUP),
1331 FLAG_MOD_REPLACE, "groupType")
1334 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1335 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1336 self.assertTrue(len(res1) == 1)
1337 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1338 ATYPE_SECURITY_GLOBAL_GROUP)
1340 # Change back to "universal"
1343 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1344 m["groupType"] = MessageElement(
1345 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1346 FLAG_MOD_REPLACE, "groupType")
1349 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1350 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1351 self.assertTrue(len(res1) == 1)
1352 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1353 ATYPE_SECURITY_UNIVERSAL_GROUP)
1358 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1359 m["groupType"] = MessageElement(
1360 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1361 FLAG_MOD_REPLACE, "groupType")
1364 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1365 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1366 self.assertTrue(len(res1) == 1)
1367 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1368 ATYPE_DISTRIBUTION_LOCAL_GROUP)
1370 # Change to "global" (shouldn't work)
1374 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1375 m["groupType"] = MessageElement(
1376 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1377 FLAG_MOD_REPLACE, "groupType")
1380 except LdbError, (num, _):
1381 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1383 # Change back to "universal"
1386 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1387 m["groupType"] = MessageElement(
1388 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1389 FLAG_MOD_REPLACE, "groupType")
1392 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1393 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1394 self.assertTrue(len(res1) == 1)
1395 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1396 ATYPE_SECURITY_UNIVERSAL_GROUP)
1398 # Change back to "global"
1401 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1402 m["groupType"] = MessageElement(
1403 str(GTYPE_SECURITY_GLOBAL_GROUP),
1404 FLAG_MOD_REPLACE, "groupType")
1407 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1408 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1409 self.assertTrue(len(res1) == 1)
1410 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1411 ATYPE_SECURITY_GLOBAL_GROUP)
1413 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1415 def test_userAccountControl(self):
1416 """Test the userAccountControl behaviour"""
1417 print "Testing userAccountControl behaviour\n"
1419 # With a user object
1423 # As user you can only set a normal account.
1424 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1426 # With SYSTEM rights you can set a interdomain trust account.
1429 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1430 "objectclass": "user",
1431 "userAccountControl": "0"})
1433 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1435 attrs=["sAMAccountType", "userAccountControl"])
1436 self.assertTrue(len(res1) == 1)
1437 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1438 ATYPE_NORMAL_ACCOUNT)
1439 self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
1440 self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_PASSWD_NOTREQD == 0)
1441 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1443 # This has to wait until s4 supports it (needs a password module change)
1446 # "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1447 # "objectclass": "user",
1448 # "userAccountControl": str(UF_NORMAL_ACCOUNT)})
1450 # except LdbError, (num, _):
1451 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1452 # delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1455 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1456 "objectclass": "user",
1457 "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)})
1459 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1461 attrs=["sAMAccountType", "userAccountControl"])
1462 self.assertTrue(len(res1) == 1)
1463 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1464 ATYPE_NORMAL_ACCOUNT)
1465 self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
1466 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1470 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1471 "objectclass": "user",
1472 "userAccountControl": str(UF_TEMP_DUPLICATE_ACCOUNT)})
1474 except LdbError, (num, _):
1475 self.assertEquals(num, ERR_OTHER)
1476 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1480 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1481 "objectclass": "user",
1482 "userAccountControl": str(UF_SERVER_TRUST_ACCOUNT)})
1484 except LdbError, (num, _):
1485 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1486 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1490 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1491 "objectclass": "user",
1492 "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT)})
1493 except LdbError, (num, _):
1494 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1495 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1499 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1500 "objectclass": "user",
1501 "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)})
1502 except LdbError, (num, _):
1503 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1504 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1506 # This isn't supported yet in s4 - needs ACL module adaption
1509 # "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1510 # "objectclass": "user",
1511 # "userAccountControl": str(UF_INTERDOMAIN_TRUST_ACCOUNT)})
1513 # except LdbError, (num, _):
1514 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1515 # delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1520 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1521 "objectclass": "user"})
1523 # After creation we should have a normal account
1524 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1526 attrs=["sAMAccountType", "userAccountControl"])
1527 self.assertTrue(len(res1) == 1)
1528 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1529 ATYPE_NORMAL_ACCOUNT)
1530 self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE != 0)
1532 # As user you can only switch from a normal account to a workstation
1533 # trust account and back.
1534 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1536 # With SYSTEM rights you can switch to a interdomain trust account.
1541 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1542 m["userAccountControl"] = MessageElement("0",
1543 FLAG_MOD_REPLACE, "userAccountControl")
1545 except LdbError, (num, _):
1546 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1548 # This has to wait until s4 supports it (needs a password module change)
1551 # m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1552 # m["userAccountControl"] = MessageElement(
1553 # str(UF_NORMAL_ACCOUNT),
1554 # FLAG_MOD_REPLACE, "userAccountControl")
1556 # except LdbError, (num, _):
1557 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1560 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1561 m["userAccountControl"] = MessageElement(
1562 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1563 FLAG_MOD_REPLACE, "userAccountControl")
1566 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1568 attrs=["sAMAccountType", "userAccountControl"])
1569 self.assertTrue(len(res1) == 1)
1570 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1571 ATYPE_NORMAL_ACCOUNT)
1572 self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
1575 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1576 m["userAccountControl"] = MessageElement(
1577 str(UF_ACCOUNTDISABLE),
1578 FLAG_MOD_REPLACE, "userAccountControl")
1581 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1583 attrs=["sAMAccountType", "userAccountControl"])
1584 self.assertTrue(len(res1) == 1)
1585 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1586 ATYPE_NORMAL_ACCOUNT)
1587 self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_NORMAL_ACCOUNT != 0)
1588 self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE != 0)
1592 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1593 m["userAccountControl"] = MessageElement(
1594 str(UF_TEMP_DUPLICATE_ACCOUNT),
1595 FLAG_MOD_REPLACE, "userAccountControl")
1598 except LdbError, (num, _):
1599 self.assertEquals(num, ERR_OTHER)
1603 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1604 m["userAccountControl"] = MessageElement(
1605 str(UF_SERVER_TRUST_ACCOUNT),
1606 FLAG_MOD_REPLACE, "userAccountControl")
1609 except LdbError, (num, _):
1610 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1613 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1614 m["userAccountControl"] = MessageElement(
1615 str(UF_WORKSTATION_TRUST_ACCOUNT),
1616 FLAG_MOD_REPLACE, "userAccountControl")
1621 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1622 m["userAccountControl"] = MessageElement(
1623 str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT),
1624 FLAG_MOD_REPLACE, "userAccountControl")
1627 except LdbError, (num, _):
1628 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1630 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1631 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1632 self.assertTrue(len(res1) == 1)
1633 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1634 ATYPE_WORKSTATION_TRUST)
1637 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1638 m["userAccountControl"] = MessageElement(
1639 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1640 FLAG_MOD_REPLACE, "userAccountControl")
1643 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1644 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1645 self.assertTrue(len(res1) == 1)
1646 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1647 ATYPE_NORMAL_ACCOUNT)
1649 # This isn't supported yet in s4 - needs ACL module adaption
1652 # m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1653 # m["userAccountControl"] = MessageElement(
1654 # str(UF_INTERDOMAIN_TRUST_ACCOUNT),
1655 # FLAG_MOD_REPLACE, "userAccountControl")
1658 # except LdbError, (num, _):
1659 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1661 # With a computer object
1665 # As computer you can set a normal account and a server trust account.
1666 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1668 # With SYSTEM rights you can set a interdomain trust account.
1671 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1672 "objectclass": "computer",
1673 "userAccountControl": "0"})
1675 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1677 attrs=["sAMAccountType", "userAccountControl"])
1678 self.assertTrue(len(res1) == 1)
1679 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1680 ATYPE_NORMAL_ACCOUNT)
1681 self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
1682 self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_PASSWD_NOTREQD == 0)
1683 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1685 # This has to wait until s4 supports it (needs a password module change)
1688 # "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1689 # "objectclass": "computer",
1690 # "userAccountControl": str(UF_NORMAL_ACCOUNT)})
1692 # except LdbError, (num, _):
1693 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1694 # delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1697 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1698 "objectclass": "computer",
1699 "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)})
1701 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1703 attrs=["sAMAccountType", "userAccountControl"])
1704 self.assertTrue(len(res1) == 1)
1705 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1706 ATYPE_NORMAL_ACCOUNT)
1707 self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
1708 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1712 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1713 "objectclass": "computer",
1714 "userAccountControl": str(UF_TEMP_DUPLICATE_ACCOUNT)})
1716 except LdbError, (num, _):
1717 self.assertEquals(num, ERR_OTHER)
1718 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1721 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1722 "objectclass": "computer",
1723 "userAccountControl": str(UF_SERVER_TRUST_ACCOUNT)})
1725 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1726 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1727 self.assertTrue(len(res1) == 1)
1728 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1729 ATYPE_WORKSTATION_TRUST)
1730 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1734 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1735 "objectclass": "computer",
1736 "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT)})
1737 except LdbError, (num, _):
1738 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1739 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1741 # This isn't supported yet in s4 - needs ACL module adaption
1744 # "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1745 # "objectclass": "computer",
1746 # "userAccountControl": str(UF_INTERDOMAIN_TRUST_ACCOUNT)})
1748 # except LdbError, (num, _):
1749 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1750 # delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1755 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1756 "objectclass": "computer"})
1758 # After creation we should have a normal account
1759 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1761 attrs=["sAMAccountType", "userAccountControl"])
1762 self.assertTrue(len(res1) == 1)
1763 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1764 ATYPE_NORMAL_ACCOUNT)
1765 self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE != 0)
1767 # As computer you can switch from a normal account to a workstation
1768 # or server trust account and back (also swapping between trust
1769 # accounts is allowed).
1770 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1772 # With SYSTEM rights you can switch to a interdomain trust account.
1777 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1778 m["userAccountControl"] = MessageElement("0",
1779 FLAG_MOD_REPLACE, "userAccountControl")
1781 except LdbError, (num, _):
1782 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1784 # This has to wait until s4 supports it (needs a password module change)
1787 # m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1788 # m["userAccountControl"] = MessageElement(
1789 # str(UF_NORMAL_ACCOUNT),
1790 # FLAG_MOD_REPLACE, "userAccountControl")
1792 # except LdbError, (num, _):
1793 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1796 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1797 m["userAccountControl"] = MessageElement(
1798 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1799 FLAG_MOD_REPLACE, "userAccountControl")
1802 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1804 attrs=["sAMAccountType", "userAccountControl"])
1805 self.assertTrue(len(res1) == 1)
1806 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1807 ATYPE_NORMAL_ACCOUNT)
1808 self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
1811 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1812 m["userAccountControl"] = MessageElement(
1813 str(UF_ACCOUNTDISABLE),
1814 FLAG_MOD_REPLACE, "userAccountControl")
1817 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1819 attrs=["sAMAccountType", "userAccountControl"])
1820 self.assertTrue(len(res1) == 1)
1821 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1822 ATYPE_NORMAL_ACCOUNT)
1823 self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_NORMAL_ACCOUNT != 0)
1824 self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE != 0)
1828 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1829 m["userAccountControl"] = MessageElement(
1830 str(UF_TEMP_DUPLICATE_ACCOUNT),
1831 FLAG_MOD_REPLACE, "userAccountControl")
1834 except LdbError, (num, _):
1835 self.assertEquals(num, ERR_OTHER)
1838 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1839 m["userAccountControl"] = MessageElement(
1840 str(UF_SERVER_TRUST_ACCOUNT),
1841 FLAG_MOD_REPLACE, "userAccountControl")
1844 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1845 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1846 self.assertTrue(len(res1) == 1)
1847 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1848 ATYPE_WORKSTATION_TRUST)
1851 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1852 m["userAccountControl"] = MessageElement(
1853 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1854 FLAG_MOD_REPLACE, "userAccountControl")
1857 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1858 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1859 self.assertTrue(len(res1) == 1)
1860 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1861 ATYPE_NORMAL_ACCOUNT)
1864 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1865 m["userAccountControl"] = MessageElement(
1866 str(UF_WORKSTATION_TRUST_ACCOUNT),
1867 FLAG_MOD_REPLACE, "userAccountControl")
1870 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1871 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1872 self.assertTrue(len(res1) == 1)
1873 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1874 ATYPE_WORKSTATION_TRUST)
1877 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1878 m["userAccountControl"] = MessageElement(
1879 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1880 FLAG_MOD_REPLACE, "userAccountControl")
1883 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1884 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1885 self.assertTrue(len(res1) == 1)
1886 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1887 ATYPE_NORMAL_ACCOUNT)
1890 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1891 m["userAccountControl"] = MessageElement(
1892 str(UF_SERVER_TRUST_ACCOUNT),
1893 FLAG_MOD_REPLACE, "userAccountControl")
1896 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1897 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1898 self.assertTrue(len(res1) == 1)
1899 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1900 ATYPE_WORKSTATION_TRUST)
1903 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1904 m["userAccountControl"] = MessageElement(
1905 str(UF_WORKSTATION_TRUST_ACCOUNT),
1906 FLAG_MOD_REPLACE, "userAccountControl")
1909 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1910 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1911 self.assertTrue(len(res1) == 1)
1912 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1913 ATYPE_WORKSTATION_TRUST)
1915 # This isn't supported yet in s4 - needs ACL module adaption
1918 # m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1919 # m["userAccountControl"] = MessageElement(
1920 # str(UF_INTERDOMAIN_TRUST_ACCOUNT),
1921 # FLAG_MOD_REPLACE, "userAccountControl")
1924 # except LdbError, (num, _):
1925 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1927 # "primaryGroupID" does not change if account type remains the same
1929 # For a user account
1932 "dn": "cn=ldaptestuser2,cn=users," + self.base_dn,
1933 "objectclass": "user",
1934 "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD | UF_ACCOUNTDISABLE)})
1936 res1 = ldb.search("cn=ldaptestuser2,cn=users," + self.base_dn,
1938 attrs=["userAccountControl"])
1939 self.assertTrue(len(res1) == 1)
1940 self.assertEquals(int(res1[0]["userAccountControl"][0]),
1941 UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD | UF_ACCOUNTDISABLE)
1944 m.dn = Dn(ldb, "<SID=" + ldb.get_domain_sid() + "-" + str(DOMAIN_RID_ADMINS) + ">")
1945 m["member"] = MessageElement(
1946 "cn=ldaptestuser2,cn=users," + self.base_dn, FLAG_MOD_ADD, "member")
1950 m.dn = Dn(ldb, "cn=ldaptestuser2,cn=users," + self.base_dn)
1951 m["primaryGroupID"] = MessageElement(str(DOMAIN_RID_ADMINS),
1952 FLAG_MOD_REPLACE, "primaryGroupID")
1956 m.dn = Dn(ldb, "cn=ldaptestuser2,cn=users," + self.base_dn)
1957 m["userAccountControl"] = MessageElement(
1958 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1959 FLAG_MOD_REPLACE, "userAccountControl")
1962 res1 = ldb.search("cn=ldaptestuser2,cn=users," + self.base_dn,
1964 attrs=["userAccountControl", "primaryGroupID"])
1965 self.assertTrue(len(res1) == 1)
1966 self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
1967 self.assertEquals(int(res1[0]["primaryGroupID"][0]), DOMAIN_RID_ADMINS)
1969 # For a workstation account
1971 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1973 attrs=["primaryGroupID"])
1974 self.assertTrue(len(res1) == 1)
1975 self.assertEquals(int(res1[0]["primaryGroupID"][0]), DOMAIN_RID_DOMAIN_MEMBERS)
1978 m.dn = Dn(ldb, "<SID=" + ldb.get_domain_sid() + "-" + str(DOMAIN_RID_USERS) + ">")
1979 m["member"] = MessageElement(
1980 "cn=ldaptestcomputer,cn=computers," + self.base_dn, FLAG_MOD_ADD, "member")
1984 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1985 m["primaryGroupID"] = MessageElement(str(DOMAIN_RID_USERS),
1986 FLAG_MOD_REPLACE, "primaryGroupID")
1990 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1991 m["userAccountControl"] = MessageElement(
1992 str(UF_WORKSTATION_TRUST_ACCOUNT),
1993 FLAG_MOD_REPLACE, "userAccountControl")
1996 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1998 attrs=["primaryGroupID"])
1999 self.assertTrue(len(res1) == 1)
2000 self.assertEquals(int(res1[0]["primaryGroupID"][0]), DOMAIN_RID_USERS)
2002 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
2003 delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn)
2004 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2006 def test_isCriticalSystemObject(self):
2007 """Test the isCriticalSystemObject behaviour"""
2008 print "Testing isCriticalSystemObject behaviour\n"
2013 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
2014 "objectclass": "computer"})
2016 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2018 attrs=["isCriticalSystemObject"])
2019 self.assertTrue(len(res1) == 1)
2020 self.assertTrue("isCriticalSystemObject" not in res1[0])
2022 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2025 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
2026 "objectclass": "computer",
2027 "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT)})
2029 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2031 attrs=["isCriticalSystemObject"])
2032 self.assertTrue(len(res1) == 1)
2033 self.assertEquals(res1[0]["isCriticalSystemObject"][0], "FALSE")
2035 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2038 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
2039 "objectclass": "computer",
2040 "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)})
2042 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2044 attrs=["isCriticalSystemObject"])
2045 self.assertTrue(len(res1) == 1)
2046 self.assertEquals(res1[0]["isCriticalSystemObject"][0], "TRUE")
2048 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2051 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
2052 "objectclass": "computer",
2053 "userAccountControl": str(UF_SERVER_TRUST_ACCOUNT)})
2055 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2057 attrs=["isCriticalSystemObject"])
2058 self.assertTrue(len(res1) == 1)
2059 self.assertEquals(res1[0]["isCriticalSystemObject"][0], "TRUE")
2061 # Modification tests
2064 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2065 m["userAccountControl"] = MessageElement(str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
2066 FLAG_MOD_REPLACE, "userAccountControl")
2069 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2071 attrs=["isCriticalSystemObject"])
2072 self.assertTrue(len(res1) == 1)
2073 self.assertEquals(res1[0]["isCriticalSystemObject"][0], "TRUE")
2076 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2077 m["userAccountControl"] = MessageElement(str(UF_WORKSTATION_TRUST_ACCOUNT),
2078 FLAG_MOD_REPLACE, "userAccountControl")
2081 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2083 attrs=["isCriticalSystemObject"])
2084 self.assertTrue(len(res1) == 1)
2085 self.assertEquals(res1[0]["isCriticalSystemObject"][0], "FALSE")
2088 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2089 m["userAccountControl"] = MessageElement(
2090 str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT),
2091 FLAG_MOD_REPLACE, "userAccountControl")
2094 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2096 attrs=["isCriticalSystemObject"])
2097 self.assertTrue(len(res1) == 1)
2098 self.assertEquals(res1[0]["isCriticalSystemObject"][0], "TRUE")
2101 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2102 m["userAccountControl"] = MessageElement(str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
2103 FLAG_MOD_REPLACE, "userAccountControl")
2106 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2108 attrs=["isCriticalSystemObject"])
2109 self.assertTrue(len(res1) == 1)
2110 self.assertEquals(res1[0]["isCriticalSystemObject"][0], "TRUE")
2113 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2114 m["userAccountControl"] = MessageElement(str(UF_SERVER_TRUST_ACCOUNT),
2115 FLAG_MOD_REPLACE, "userAccountControl")
2118 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2120 attrs=["isCriticalSystemObject"])
2121 self.assertTrue(len(res1) == 1)
2122 self.assertEquals(res1[0]["isCriticalSystemObject"][0], "TRUE")
2125 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2126 m["userAccountControl"] = MessageElement(str(UF_WORKSTATION_TRUST_ACCOUNT),
2127 FLAG_MOD_REPLACE, "userAccountControl")
2130 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2132 attrs=["isCriticalSystemObject"])
2133 self.assertTrue(len(res1) == 1)
2134 self.assertEquals(res1[0]["isCriticalSystemObject"][0], "FALSE")
2136 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2138 def test_service_principal_name_updates(self):
2139 """Test the servicePrincipalNames update behaviour"""
2140 print "Testing servicePrincipalNames update behaviour\n"
2143 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
2144 "objectclass": "computer",
2145 "dNSHostName": "testname.testdom"})
2147 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2148 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2149 self.assertTrue(len(res) == 1)
2150 self.assertFalse("servicePrincipalName" in res[0])
2152 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2155 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
2156 "objectclass": "computer",
2157 "servicePrincipalName": "HOST/testname.testdom"})
2159 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2160 scope=SCOPE_BASE, attrs=["dNSHostName"])
2161 self.assertTrue(len(res) == 1)
2162 self.assertFalse("dNSHostName" in res[0])
2164 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2167 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
2168 "objectclass": "computer",
2169 "dNSHostName": "testname2.testdom",
2170 "servicePrincipalName": "HOST/testname.testdom"})
2172 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2173 scope=SCOPE_BASE, attrs=["dNSHostName"])
2174 self.assertTrue(len(res) == 1)
2175 self.assertEquals(res[0]["dNSHostName"][0], "testname2.testdom")
2177 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2178 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2179 self.assertTrue(len(res) == 1)
2180 self.assertEquals(res[0]["servicePrincipalName"][0],
2181 "HOST/testname.testdom")
2184 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2185 m["dNSHostName"] = MessageElement("testname.testdoM",
2186 FLAG_MOD_REPLACE, "dNSHostName")
2189 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2190 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2191 self.assertTrue(len(res) == 1)
2192 self.assertEquals(res[0]["servicePrincipalName"][0],
2193 "HOST/testname.testdom")
2196 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2197 m["dNSHostName"] = MessageElement("testname2.testdom2",
2198 FLAG_MOD_REPLACE, "dNSHostName")
2201 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2202 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2203 self.assertTrue(len(res) == 1)
2204 self.assertEquals(res[0]["servicePrincipalName"][0],
2205 "HOST/testname2.testdom2")
2208 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2209 m["dNSHostName"] = MessageElement([],
2210 FLAG_MOD_DELETE, "dNSHostName")
2213 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2214 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2215 self.assertTrue(len(res) == 1)
2216 self.assertEquals(res[0]["servicePrincipalName"][0],
2217 "HOST/testname2.testdom2")
2220 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2221 m["dNSHostName"] = MessageElement("testname.testdom3",
2222 FLAG_MOD_REPLACE, "dNSHostName")
2225 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2226 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2227 self.assertTrue(len(res) == 1)
2228 self.assertEquals(res[0]["servicePrincipalName"][0],
2229 "HOST/testname2.testdom2")
2232 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2233 m["dNSHostName"] = MessageElement("testname2.testdom2",
2234 FLAG_MOD_REPLACE, "dNSHostName")
2238 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2239 m["dNSHostName"] = MessageElement("testname3.testdom3",
2240 FLAG_MOD_REPLACE, "dNSHostName")
2241 m["servicePrincipalName"] = MessageElement("HOST/testname2.testdom2",
2243 "servicePrincipalName")
2246 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2247 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2248 self.assertTrue(len(res) == 1)
2249 self.assertEquals(res[0]["servicePrincipalName"][0],
2250 "HOST/testname3.testdom3")
2253 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2254 m["servicePrincipalName"] = MessageElement("HOST/testname2.testdom2",
2256 "servicePrincipalName")
2257 m["dNSHostName"] = MessageElement("testname4.testdom4",
2258 FLAG_MOD_REPLACE, "dNSHostName")
2261 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2262 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2263 self.assertTrue(len(res) == 1)
2264 self.assertEquals(res[0]["servicePrincipalName"][0],
2265 "HOST/testname2.testdom2")
2268 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2269 m["servicePrincipalName"] = MessageElement([],
2271 "servicePrincipalName")
2275 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2276 m["dNSHostName"] = MessageElement("testname2.testdom2",
2277 FLAG_MOD_REPLACE, "dNSHostName")
2280 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2281 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2282 self.assertTrue(len(res) == 1)
2283 self.assertFalse("servicePrincipalName" in res[0])
2285 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2288 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
2289 "objectclass": "computer",
2290 "sAMAccountName": "testname$"})
2292 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2293 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2294 self.assertTrue(len(res) == 1)
2295 self.assertFalse("servicePrincipalName" in res[0])
2297 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2300 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
2301 "objectclass": "computer",
2302 "servicePrincipalName": "HOST/testname"})
2304 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2305 scope=SCOPE_BASE, attrs=["sAMAccountName"])
2306 self.assertTrue(len(res) == 1)
2307 self.assertTrue("sAMAccountName" in res[0])
2309 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2312 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
2313 "objectclass": "computer",
2314 "sAMAccountName": "testname$",
2315 "servicePrincipalName": "HOST/testname"})
2317 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2318 scope=SCOPE_BASE, attrs=["sAMAccountName"])
2319 self.assertTrue(len(res) == 1)
2320 self.assertEquals(res[0]["sAMAccountName"][0], "testname$")
2322 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2323 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2324 self.assertTrue(len(res) == 1)
2325 self.assertEquals(res[0]["servicePrincipalName"][0],
2329 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2330 m["sAMAccountName"] = MessageElement("testnamE$",
2331 FLAG_MOD_REPLACE, "sAMAccountName")
2334 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2335 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2336 self.assertTrue(len(res) == 1)
2337 self.assertEquals(res[0]["servicePrincipalName"][0],
2341 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2342 m["sAMAccountName"] = MessageElement("testname",
2343 FLAG_MOD_REPLACE, "sAMAccountName")
2346 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2347 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2348 self.assertTrue(len(res) == 1)
2349 self.assertEquals(res[0]["servicePrincipalName"][0],
2353 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2354 m["sAMAccountName"] = MessageElement("test$name$",
2355 FLAG_MOD_REPLACE, "sAMAccountName")
2358 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2359 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2360 self.assertTrue(len(res) == 1)
2361 self.assertEquals(res[0]["servicePrincipalName"][0],
2365 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2366 m["sAMAccountName"] = MessageElement("testname2",
2367 FLAG_MOD_REPLACE, "sAMAccountName")
2370 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2371 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2372 self.assertTrue(len(res) == 1)
2373 self.assertEquals(res[0]["servicePrincipalName"][0],
2377 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2378 m["sAMAccountName"] = MessageElement("testname3",
2379 FLAG_MOD_REPLACE, "sAMAccountName")
2380 m["servicePrincipalName"] = MessageElement("HOST/testname2",
2382 "servicePrincipalName")
2385 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2386 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2387 self.assertTrue(len(res) == 1)
2388 self.assertEquals(res[0]["servicePrincipalName"][0],
2392 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2393 m["servicePrincipalName"] = MessageElement("HOST/testname2",
2395 "servicePrincipalName")
2396 m["sAMAccountName"] = MessageElement("testname4",
2397 FLAG_MOD_REPLACE, "sAMAccountName")
2400 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2401 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2402 self.assertTrue(len(res) == 1)
2403 self.assertEquals(res[0]["servicePrincipalName"][0],
2407 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2408 m["servicePrincipalName"] = MessageElement([],
2410 "servicePrincipalName")
2414 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2415 m["sAMAccountName"] = MessageElement("testname2",
2416 FLAG_MOD_REPLACE, "sAMAccountName")
2419 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2420 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2421 self.assertTrue(len(res) == 1)
2422 self.assertFalse("servicePrincipalName" in res[0])
2424 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2427 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
2428 "objectclass": "computer",
2429 "dNSHostName": "testname.testdom",
2430 "sAMAccountName": "testname$",
2431 "servicePrincipalName": [ "HOST/testname.testdom", "HOST/testname" ]
2435 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2436 m["dNSHostName"] = MessageElement("testname2.testdom",
2437 FLAG_MOD_REPLACE, "dNSHostName")
2438 m["sAMAccountName"] = MessageElement("testname2$",
2439 FLAG_MOD_REPLACE, "sAMAccountName")
2442 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2443 scope=SCOPE_BASE, attrs=["dNSHostName", "sAMAccountName", "servicePrincipalName"])
2444 self.assertTrue(len(res) == 1)
2445 self.assertEquals(res[0]["dNSHostName"][0], "testname2.testdom")
2446 self.assertEquals(res[0]["sAMAccountName"][0], "testname2$")
2447 self.assertTrue(res[0]["servicePrincipalName"][0] == "HOST/testname2" or
2448 res[0]["servicePrincipalName"][1] == "HOST/testname2")
2449 self.assertTrue(res[0]["servicePrincipalName"][0] == "HOST/testname2.testdom" or
2450 res[0]["servicePrincipalName"][1] == "HOST/testname2.testdom")
2452 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2455 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
2456 "objectclass": "computer",
2457 "dNSHostName": "testname.testdom",
2458 "sAMAccountName": "testname$",
2459 "servicePrincipalName": [ "HOST/testname.testdom", "HOST/testname" ]
2463 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2464 m["sAMAccountName"] = MessageElement("testname2$",
2465 FLAG_MOD_REPLACE, "sAMAccountName")
2466 m["dNSHostName"] = MessageElement("testname2.testdom",
2467 FLAG_MOD_REPLACE, "dNSHostName")
2470 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2471 scope=SCOPE_BASE, attrs=["dNSHostName", "sAMAccountName", "servicePrincipalName"])
2472 self.assertTrue(len(res) == 1)
2473 self.assertEquals(res[0]["dNSHostName"][0], "testname2.testdom")
2474 self.assertEquals(res[0]["sAMAccountName"][0], "testname2$")
2475 self.assertTrue(len(res[0]["servicePrincipalName"]) == 2)
2476 self.assertTrue("HOST/testname2" in res[0]["servicePrincipalName"])
2477 self.assertTrue("HOST/testname2.testdom" in res[0]["servicePrincipalName"])
2480 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2481 m["servicePrincipalName"] = MessageElement("HOST/testname2.testdom",
2482 FLAG_MOD_ADD, "servicePrincipalName")
2486 except LdbError, (num, _):
2487 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2490 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2491 m["servicePrincipalName"] = MessageElement("HOST/testname3",
2492 FLAG_MOD_ADD, "servicePrincipalName")
2495 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2496 scope=SCOPE_BASE, attrs=["dNSHostName", "sAMAccountName", "servicePrincipalName"])
2497 self.assertTrue(len(res) == 1)
2498 self.assertEquals(res[0]["dNSHostName"][0], "testname2.testdom")
2499 self.assertEquals(res[0]["sAMAccountName"][0], "testname2$")
2500 self.assertTrue(len(res[0]["servicePrincipalName"]) == 3)
2501 self.assertTrue("HOST/testname2" in res[0]["servicePrincipalName"])
2502 self.assertTrue("HOST/testname3" in res[0]["servicePrincipalName"])
2503 self.assertTrue("HOST/testname2.testdom" in res[0]["servicePrincipalName"])
2506 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2507 m["dNSHostName"] = MessageElement("testname3.testdom",
2508 FLAG_MOD_REPLACE, "dNSHostName")
2509 m["servicePrincipalName"] = MessageElement("HOST/testname3.testdom",
2510 FLAG_MOD_ADD, "servicePrincipalName")
2513 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2514 scope=SCOPE_BASE, attrs=["dNSHostName", "sAMAccountName", "servicePrincipalName"])
2515 self.assertTrue(len(res) == 1)
2516 self.assertEquals(res[0]["dNSHostName"][0], "testname3.testdom")
2517 self.assertEquals(res[0]["sAMAccountName"][0], "testname2$")
2518 self.assertTrue(len(res[0]["servicePrincipalName"]) == 3)
2519 self.assertTrue("HOST/testname2" in res[0]["servicePrincipalName"])
2520 self.assertTrue("HOST/testname3" in res[0]["servicePrincipalName"])
2521 self.assertTrue("HOST/testname3.testdom" in res[0]["servicePrincipalName"])
2523 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2525 def test_sam_description_attribute(self):
2526 """Test SAM description attribute"""
2527 print "Test SAM description attribute"""
2530 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2531 "description": "desc2",
2532 "objectclass": "group",
2533 "description": "desc1"})
2535 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2536 scope=SCOPE_BASE, attrs=["description"])
2537 self.assertTrue(len(res) == 1)
2538 self.assertTrue("description" in res[0])
2539 self.assertTrue(len(res[0]["description"]) == 1)
2540 self.assertEquals(res[0]["description"][0], "desc1")
2542 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2545 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2546 "objectclass": "group",
2547 "description": ["desc1", "desc2"]})
2549 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2550 scope=SCOPE_BASE, attrs=["description"])
2551 self.assertTrue(len(res) == 1)
2552 self.assertTrue("description" in res[0])
2553 self.assertTrue(len(res[0]["description"]) == 2)
2554 self.assertTrue(res[0]["description"][0] == "desc1" or
2555 res[0]["description"][1] == "desc1")
2556 self.assertTrue(res[0]["description"][0] == "desc2" or
2557 res[0]["description"][1] == "desc2")
2560 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2561 m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE,
2566 except LdbError, (num, _):
2567 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2570 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2571 m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_DELETE,
2575 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2578 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2579 "objectclass": "group" })
2582 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2583 m["description"] = MessageElement("desc1", FLAG_MOD_REPLACE,
2587 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2588 scope=SCOPE_BASE, attrs=["description"])
2589 self.assertTrue(len(res) == 1)
2590 self.assertTrue("description" in res[0])
2591 self.assertTrue(len(res[0]["description"]) == 1)
2592 self.assertEquals(res[0]["description"][0], "desc1")
2594 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2597 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2598 "objectclass": "group",
2599 "description": ["desc1", "desc2"]})
2602 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2603 m["description"] = MessageElement("desc1", FLAG_MOD_REPLACE,
2607 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2608 scope=SCOPE_BASE, attrs=["description"])
2609 self.assertTrue(len(res) == 1)
2610 self.assertTrue("description" in res[0])
2611 self.assertTrue(len(res[0]["description"]) == 1)
2612 self.assertEquals(res[0]["description"][0], "desc1")
2615 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2616 m["description"] = MessageElement("desc3", FLAG_MOD_ADD,
2621 except LdbError, (num, _):
2622 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2625 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2626 m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_DELETE,
2631 except LdbError, (num, _):
2632 self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE)
2635 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2636 m["description"] = MessageElement("desc1", FLAG_MOD_DELETE,
2639 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2640 scope=SCOPE_BASE, attrs=["description"])
2641 self.assertTrue(len(res) == 1)
2642 self.assertFalse("description" in res[0])
2645 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2646 m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE,
2651 except LdbError, (num, _):
2652 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2655 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2656 m["description"] = MessageElement(["desc3", "desc4"], FLAG_MOD_ADD,
2661 except LdbError, (num, _):
2662 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2665 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2666 m["description"] = MessageElement("desc1", FLAG_MOD_ADD,
2670 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2671 scope=SCOPE_BASE, attrs=["description"])
2672 self.assertTrue(len(res) == 1)
2673 self.assertTrue("description" in res[0])
2674 self.assertTrue(len(res[0]["description"]) == 1)
2675 self.assertEquals(res[0]["description"][0], "desc1")
2678 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2679 m.add(MessageElement("desc1", FLAG_MOD_DELETE, "description"))
2680 m.add(MessageElement("desc2", FLAG_MOD_ADD, "description"))
2683 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2684 scope=SCOPE_BASE, attrs=["description"])
2685 self.assertTrue(len(res) == 1)
2686 self.assertTrue("description" in res[0])
2687 self.assertTrue(len(res[0]["description"]) == 1)
2688 self.assertEquals(res[0]["description"][0], "desc2")
2690 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2693 def test_fSMORoleOwner_attribute(self):
2694 """Test fSMORoleOwner attribute"""
2695 print "Test fSMORoleOwner attribute"""
2697 ds_service_name = self.ldb.get_dsServiceName()
2699 # The "fSMORoleOwner" attribute can only be set to "nTDSDSA" entries,
2700 # invalid DNs return ERR_UNWILLING_TO_PERFORM
2704 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2705 "objectclass": "group",
2706 "fSMORoleOwner": self.base_dn})
2708 except LdbError, (num, _):
2709 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
2713 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2714 "objectclass": "group",
2715 "fSMORoleOwner": [] })
2717 except LdbError, (num, _):
2718 self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
2720 # We are able to set it to a valid "nTDSDSA" entry if the server is
2721 # capable of handling the role
2724 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2725 "objectclass": "group",
2726 "fSMORoleOwner": ds_service_name })
2728 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2731 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2732 "objectclass": "group" })
2735 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2736 m.add(MessageElement(self.base_dn, FLAG_MOD_REPLACE, "fSMORoleOwner"))
2740 except LdbError, (num, _):
2741 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
2744 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2745 m.add(MessageElement([], FLAG_MOD_REPLACE, "fSMORoleOwner"))
2749 except LdbError, (num, _):
2750 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
2752 # We are able to set it to a valid "nTDSDSA" entry if the server is
2753 # capable of handling the role
2756 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2757 m.add(MessageElement(ds_service_name, FLAG_MOD_REPLACE, "fSMORoleOwner"))
2760 # A clean-out works on plain entries, not master (schema, PDC...) DNs
2763 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2764 m.add(MessageElement([], FLAG_MOD_DELETE, "fSMORoleOwner"))
2767 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2770 if not "://" in host:
2771 if os.path.isfile(host):
2772 host = "tdb://%s" % host
2774 host = "ldap://%s" % host
2776 ldb = SamDB(host, credentials=creds, session_info=system_session(lp), lp=lp)
2778 runner = SubunitTestRunner()
2780 if not runner.run(unittest.makeSuite(SamTests)).wasSuccessful():
git.samba.org / obnox / samba / samba-obnox.git / blob