2 # -*- coding: utf-8 -*-
3 # This is a port of the original in testprogs/ejs/ldap.js
9 sys.path.append("bin/python")
11 samba.ensure_external_module("testtools", "testtools")
12 samba.ensure_external_module("subunit", "subunit/python")
14 import samba.getopt as options
16 from samba.auth import system_session
17 from ldb import SCOPE_BASE, LdbError
18 from ldb import ERR_NO_SUCH_OBJECT, ERR_ATTRIBUTE_OR_VALUE_EXISTS
19 from ldb import ERR_ENTRY_ALREADY_EXISTS, ERR_UNWILLING_TO_PERFORM
20 from ldb import ERR_OTHER, ERR_NO_SUCH_ATTRIBUTE
21 from ldb import ERR_OBJECT_CLASS_VIOLATION
22 from ldb import ERR_CONSTRAINT_VIOLATION
23 from ldb import ERR_UNDEFINED_ATTRIBUTE_TYPE
24 from ldb import Message, MessageElement, Dn
25 from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE
26 from samba.samdb import SamDB
27 from samba.dsdb import (UF_NORMAL_ACCOUNT,
28 UF_WORKSTATION_TRUST_ACCOUNT, UF_SERVER_TRUST_ACCOUNT,
29 UF_PARTIAL_SECRETS_ACCOUNT, UF_TEMP_DUPLICATE_ACCOUNT,
30 UF_PASSWD_NOTREQD, ATYPE_NORMAL_ACCOUNT,
31 GTYPE_SECURITY_BUILTIN_LOCAL_GROUP, GTYPE_SECURITY_DOMAIN_LOCAL_GROUP,
32 GTYPE_SECURITY_GLOBAL_GROUP, GTYPE_SECURITY_UNIVERSAL_GROUP,
33 GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP, GTYPE_DISTRIBUTION_GLOBAL_GROUP,
34 GTYPE_DISTRIBUTION_UNIVERSAL_GROUP,
35 ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_UNIVERSAL_GROUP,
36 ATYPE_SECURITY_LOCAL_GROUP, ATYPE_DISTRIBUTION_GLOBAL_GROUP,
37 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP, ATYPE_DISTRIBUTION_LOCAL_GROUP,
38 ATYPE_WORKSTATION_TRUST)
39 from samba.dcerpc.security import (DOMAIN_RID_USERS, DOMAIN_RID_DOMAIN_MEMBERS,
40 DOMAIN_RID_DCS, DOMAIN_RID_READONLY_DCS)
42 from subunit.run import SubunitTestRunner
45 from samba.ndr import ndr_unpack
46 from samba.dcerpc import security
47 from samba.tests import delete_force
49 parser = optparse.OptionParser("sam.py [options] <host>")
50 sambaopts = options.SambaOptions(parser)
51 parser.add_option_group(sambaopts)
52 parser.add_option_group(options.VersionOptions(parser))
53 # use command line creds if available
54 credopts = options.CredentialsOptions(parser)
55 parser.add_option_group(credopts)
56 opts, args = parser.parse_args()
64 lp = sambaopts.get_loadparm()
65 creds = credopts.get_credentials(lp)
67 class SamTests(unittest.TestCase):
70 super(SamTests, self).setUp()
72 self.base_dn = ldb.domain_dn()
74 print "baseDN: %s\n" % self.base_dn
76 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
77 delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn)
78 delete_force(self.ldb, "cn=ldaptest\,specialuser,cn=users," + self.base_dn)
79 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
80 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
81 delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
83 def test_users_groups(self):
84 """This tests the SAM users and groups behaviour"""
85 print "Testing users and groups behaviour\n"
88 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
89 "objectclass": "group"})
92 "dn": "cn=ldaptestgroup2,cn=users," + self.base_dn,
93 "objectclass": "group"})
95 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
96 scope=SCOPE_BASE, attrs=["objectSID"])
97 self.assertTrue(len(res1) == 1)
98 group_rid_1 = security.dom_sid(ldb.schema_format_value("objectSID",
99 res1[0]["objectSID"][0])).split()[1]
101 res1 = ldb.search("cn=ldaptestgroup2,cn=users," + self.base_dn,
102 scope=SCOPE_BASE, attrs=["objectSID"])
103 self.assertTrue(len(res1) == 1)
104 group_rid_2 = security.dom_sid(ldb.schema_format_value("objectSID",
105 res1[0]["objectSID"][0])).split()[1]
107 # Try to create a user with an invalid account name
110 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
111 "objectclass": "user",
112 "sAMAccountName": "administrator"})
114 except LdbError, (num, _):
115 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
116 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
118 # Try to create a user with an invalid account name
121 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
122 "objectclass": "user",
123 "sAMAccountName": []})
125 except LdbError, (num, _):
126 self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
127 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
129 # Try to create a user with an invalid primary group
132 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
133 "objectclass": "user",
134 "primaryGroupID": "0"})
136 except LdbError, (num, _):
137 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
138 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
140 # Try to Create a user with a valid primary group
143 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
144 "objectclass": "user",
145 "primaryGroupID": str(group_rid_1)})
147 except LdbError, (num, _):
148 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
149 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
151 # Test to see how we should behave when the user account doesn't
154 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
155 m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE,
160 except LdbError, (num, _):
161 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
163 # Test to see how we should behave when the account isn't a user
165 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
166 m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE,
171 except LdbError, (num, _):
172 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
174 # Test default primary groups on add operations
177 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
178 "objectclass": "user"})
180 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
181 scope=SCOPE_BASE, attrs=["primaryGroupID"])
182 self.assertTrue(len(res1) == 1)
183 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS))
185 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
188 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
189 "objectclass": "user",
190 "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD) })
192 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
193 scope=SCOPE_BASE, attrs=["primaryGroupID"])
194 self.assertTrue(len(res1) == 1)
195 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS))
197 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
199 # unfortunately the INTERDOMAIN_TRUST_ACCOUNT case cannot be tested
200 # since such accounts aren't directly creatable (ACCESS_DENIED)
203 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
204 "objectclass": "computer",
205 "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD) })
207 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
208 scope=SCOPE_BASE, attrs=["primaryGroupID"])
209 self.assertTrue(len(res1) == 1)
210 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DOMAIN_MEMBERS))
212 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
215 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
216 "objectclass": "computer",
217 "userAccountControl": str(UF_SERVER_TRUST_ACCOUNT | UF_PASSWD_NOTREQD) })
219 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
220 scope=SCOPE_BASE, attrs=["primaryGroupID"])
221 self.assertTrue(len(res1) == 1)
222 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DCS))
224 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
226 # Read-only DC accounts are only creatable by
227 # UF_WORKSTATION_TRUST_ACCOUNT and work only on DCs >= 2008 (therefore
228 # we have a fallback in the assertion)
230 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
231 "objectclass": "computer",
232 "userAccountControl": str(UF_PARTIAL_SECRETS_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD) })
234 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
235 scope=SCOPE_BASE, attrs=["primaryGroupID"])
236 self.assertTrue(len(res1) == 1)
237 self.assertTrue(res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_READONLY_DCS) or
238 res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_DOMAIN_MEMBERS))
240 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
242 # Test default primary groups on modify operations
245 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
246 "objectclass": "user"})
249 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
250 m["userAccountControl"] = MessageElement(str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
251 "userAccountControl")
254 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
255 scope=SCOPE_BASE, attrs=["primaryGroupID"])
256 self.assertTrue(len(res1) == 1)
257 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS))
259 # unfortunately the INTERDOMAIN_TRUST_ACCOUNT case cannot be tested
260 # since such accounts aren't directly creatable (ACCESS_DENIED)
262 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
265 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
266 "objectclass": "computer"})
268 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
269 scope=SCOPE_BASE, attrs=["primaryGroupID"])
270 self.assertTrue(len(res1) == 1)
271 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS))
274 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
275 m["userAccountControl"] = MessageElement(str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
276 "userAccountControl")
279 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
280 scope=SCOPE_BASE, attrs=["primaryGroupID"])
281 self.assertTrue(len(res1) == 1)
282 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DOMAIN_MEMBERS))
285 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
286 m["userAccountControl"] = MessageElement(str(UF_SERVER_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
287 "userAccountControl")
290 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
291 scope=SCOPE_BASE, attrs=["primaryGroupID"])
292 self.assertTrue(len(res1) == 1)
293 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DCS))
295 # Read-only DC accounts are only creatable by
296 # UF_WORKSTATION_TRUST_ACCOUNT and work only on DCs >= 2008 (therefore
297 # we have a fallback in the assertion)
299 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
300 m["userAccountControl"] = MessageElement(str(UF_PARTIAL_SECRETS_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
301 "userAccountControl")
304 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
305 scope=SCOPE_BASE, attrs=["primaryGroupID"])
306 self.assertTrue(len(res1) == 1)
307 self.assertTrue(res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_READONLY_DCS) or
308 res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_DOMAIN_MEMBERS))
310 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
312 # Recreate account for further tests
315 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
316 "objectclass": "user"})
318 # Try to set an invalid account name
320 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
321 m["sAMAccountName"] = MessageElement("administrator", FLAG_MOD_REPLACE,
326 except LdbError, (num, _):
327 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
329 # But to reset the actual "sAMAccountName" should still be possible
330 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
331 scope=SCOPE_BASE, attrs=["sAMAccountName"])
332 self.assertTrue(len(res1) == 1)
334 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
335 m["sAMAccountName"] = MessageElement(res1[0]["sAMAccountName"][0], FLAG_MOD_REPLACE,
339 # And another (free) name should be possible as well
341 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
342 m["sAMAccountName"] = MessageElement("xxx_ldaptestuser_xxx", FLAG_MOD_REPLACE,
346 # We should be able to reset our actual primary group
348 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
349 m["primaryGroupID"] = MessageElement(str(DOMAIN_RID_USERS), FLAG_MOD_REPLACE,
353 # Try to add invalid primary group
355 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
356 m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE,
361 except LdbError, (num, _):
362 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
364 # Try to make group 1 primary - should be denied since it is not yet
367 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
368 m["primaryGroupID"] = MessageElement(str(group_rid_1),
369 FLAG_MOD_REPLACE, "primaryGroupID")
373 except LdbError, (num, _):
374 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
376 # Make group 1 secondary
378 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
379 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
380 FLAG_MOD_REPLACE, "member")
383 # Make group 1 primary
385 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
386 m["primaryGroupID"] = MessageElement(str(group_rid_1),
387 FLAG_MOD_REPLACE, "primaryGroupID")
390 # Try to delete group 1 - should be denied
392 ldb.delete("cn=ldaptestgroup,cn=users," + self.base_dn)
394 except LdbError, (num, _):
395 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
397 # Try to add group 1 also as secondary - should be denied
399 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
400 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
401 FLAG_MOD_ADD, "member")
405 except LdbError, (num, _):
406 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
408 # Try to add invalid member to group 1 - should be denied
410 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
411 m["member"] = MessageElement(
412 "cn=ldaptestuser3,cn=users," + self.base_dn,
413 FLAG_MOD_ADD, "member")
417 except LdbError, (num, _):
418 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
420 # Make group 2 secondary
422 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
423 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
424 FLAG_MOD_ADD, "member")
429 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
430 m["primaryGroupID"] = MessageElement(str(group_rid_2),
431 FLAG_MOD_REPLACE, "primaryGroupID")
434 # Swap the groups (does not really make sense but does the same)
436 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
437 m["primaryGroupID"] = MessageElement(str(group_rid_1),
438 FLAG_MOD_REPLACE, "primaryGroupID")
439 m["primaryGroupID"] = MessageElement(str(group_rid_2),
440 FLAG_MOD_REPLACE, "primaryGroupID")
443 # Old primary group should contain a "member" attribute for the user,
444 # the new shouldn't contain anymore one
445 res1 = ldb.search("cn=ldaptestgroup, cn=users," + self.base_dn,
446 scope=SCOPE_BASE, attrs=["member"])
447 self.assertTrue(len(res1) == 1)
448 self.assertTrue(len(res1[0]["member"]) == 1)
449 self.assertEquals(res1[0]["member"][0].lower(),
450 ("cn=ldaptestuser,cn=users," + self.base_dn).lower())
452 res1 = ldb.search("cn=ldaptestgroup2, cn=users," + self.base_dn,
453 scope=SCOPE_BASE, attrs=["member"])
454 self.assertTrue(len(res1) == 1)
455 self.assertFalse("member" in res1[0])
457 # Primary group member
459 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
460 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
461 FLAG_MOD_DELETE, "member")
465 except LdbError, (num, _):
466 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
468 # Delete invalid group member
470 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
471 m["member"] = MessageElement("cn=ldaptestuser1,cn=users," + self.base_dn,
472 FLAG_MOD_DELETE, "member")
476 except LdbError, (num, _):
477 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
479 # Also this should be denied
482 "dn": "cn=ldaptestuser2,cn=users," + self.base_dn,
483 "objectclass": "user",
484 "primaryGroupID": "0"})
486 except LdbError, (num, _):
487 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
489 # Recreate user accounts
491 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
494 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
495 "objectclass": "user"})
498 "dn": "cn=ldaptestuser2,cn=users," + self.base_dn,
499 "objectclass": "user"})
502 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
503 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
504 FLAG_MOD_ADD, "member")
509 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
510 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
511 FLAG_MOD_ADD, "member")
515 except LdbError, (num, _):
516 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
518 # Already added, but as <SID=...>
519 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
520 scope=SCOPE_BASE, attrs=["objectSid"])
521 self.assertTrue(len(res1) == 1)
522 sid_bin = res1[0]["objectSid"][0]
523 sid_str = ("<SID=" + ldb.schema_format_value("objectSid", sid_bin) + ">").upper()
526 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
527 m["member"] = MessageElement(sid_str, FLAG_MOD_ADD, "member")
531 except LdbError, (num, _):
532 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
536 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
537 m["member"] = MessageElement("cn=ldaptestuser1,cn=users," + self.base_dn,
538 FLAG_MOD_REPLACE, "member")
542 except LdbError, (num, _):
543 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
547 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
548 m["member"] = MessageElement(["cn=ldaptestuser,cn=users," + self.base_dn,
549 "cn=ldaptestuser1,cn=users," + self.base_dn],
550 FLAG_MOD_REPLACE, "member")
554 except LdbError, (num, _):
555 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
559 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
560 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
561 FLAG_MOD_REPLACE, "member")
562 m["member"] = MessageElement("cn=ldaptestuser1,cn=users," + self.base_dn,
563 FLAG_MOD_ADD, "member")
567 except LdbError, (num, _):
568 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
571 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
572 m["member"] = MessageElement(["cn=ldaptestuser,cn=users," + self.base_dn,
573 "cn=ldaptestuser2,cn=users," + self.base_dn],
574 FLAG_MOD_REPLACE, "member")
577 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
578 delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn)
579 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
580 delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
582 # Make also a small test for accounts with special DNs ("," in this case)
584 "dn": "cn=ldaptest\,specialuser,cn=users," + self.base_dn,
585 "objectclass": "user"})
586 delete_force(self.ldb, "cn=ldaptest\,specialuser,cn=users," + self.base_dn)
588 def test_sam_attributes(self):
589 """Test the behaviour of special attributes of SAM objects"""
590 print "Testing the behaviour of special attributes of SAM objects\n"""
593 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
594 "objectclass": "user"})
596 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
597 "objectclass": "group"})
600 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
601 m["groupType"] = MessageElement(str(GTYPE_SECURITY_GLOBAL_GROUP), FLAG_MOD_ADD,
606 except LdbError, (num, _):
607 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
609 # Delete protection tests
611 for attr in ["nTSecurityDescriptor", "objectSid", "sAMAccountType",
612 "sAMAccountName", "groupType"]:
615 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
616 m[attr] = MessageElement([], FLAG_MOD_REPLACE, attr)
620 except LdbError, (num, _):
621 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
624 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
625 m[attr] = MessageElement([], FLAG_MOD_DELETE, attr)
629 except LdbError, (num, _):
630 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
633 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
634 m["primaryGroupID"] = MessageElement("513", FLAG_MOD_ADD,
639 except LdbError, (num, _):
640 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
643 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
644 m["userAccountControl"] = MessageElement(str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_ADD,
645 "userAccountControl")
649 except LdbError, (num, _):
650 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
653 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
654 m["objectSid"] = MessageElement("xxxxxxxxxxxxxxxx", FLAG_MOD_ADD,
659 except LdbError, (num, _):
660 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
663 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
664 m["sAMAccountType"] = MessageElement("0", FLAG_MOD_ADD,
669 except LdbError, (num, _):
670 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
673 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
674 m["sAMAccountName"] = MessageElement("test", FLAG_MOD_ADD,
679 except LdbError, (num, _):
680 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
682 # Delete protection tests
684 for attr in ["nTSecurityDescriptor", "objectSid", "sAMAccountType",
685 "sAMAccountName", "primaryGroupID", "userAccountControl",
686 "accountExpires", "badPasswordTime", "badPwdCount",
687 "codePage", "countryCode", "lastLogoff", "lastLogon",
688 "logonCount", "pwdLastSet"]:
691 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
692 m[attr] = MessageElement([], FLAG_MOD_REPLACE, attr)
696 except LdbError, (num, _):
697 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
700 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
701 m[attr] = MessageElement([], FLAG_MOD_DELETE, attr)
705 except LdbError, (num, _):
706 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
708 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
709 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
711 def test_primary_group_token_constructed(self):
712 """Test the primary group token behaviour (hidden-generated-readonly attribute on groups) and some other constructed attributes"""
713 print "Testing primary group token behaviour and other constructed attributes\n"
717 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
718 "objectclass": "group",
719 "primaryGroupToken": "100"})
721 except LdbError, (num, _):
722 self.assertEquals(num, ERR_UNDEFINED_ATTRIBUTE_TYPE)
723 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
726 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
727 "objectclass": "user"})
730 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
731 "objectclass": "group"})
733 # Testing for one invalid, and one valid operational attribute, but also the things they are built from
734 res1 = ldb.search(self.base_dn,
735 scope=SCOPE_BASE, attrs=["primaryGroupToken", "canonicalName", "objectClass", "objectSid"])
736 self.assertTrue(len(res1) == 1)
737 self.assertFalse("primaryGroupToken" in res1[0])
738 self.assertTrue("canonicalName" in res1[0])
739 self.assertTrue("objectClass" in res1[0])
740 self.assertTrue("objectSid" in res1[0])
742 res1 = ldb.search(self.base_dn,
743 scope=SCOPE_BASE, attrs=["primaryGroupToken", "canonicalName"])
744 self.assertTrue(len(res1) == 1)
745 self.assertFalse("primaryGroupToken" in res1[0])
746 self.assertFalse("objectSid" in res1[0])
747 self.assertFalse("objectClass" in res1[0])
748 self.assertTrue("canonicalName" in res1[0])
750 res1 = ldb.search("cn=users," + self.base_dn,
751 scope=SCOPE_BASE, attrs=["primaryGroupToken"])
752 self.assertTrue(len(res1) == 1)
753 self.assertFalse("primaryGroupToken" in res1[0])
755 res1 = ldb.search("cn=ldaptestuser, cn=users," + self.base_dn,
756 scope=SCOPE_BASE, attrs=["primaryGroupToken"])
757 self.assertTrue(len(res1) == 1)
758 self.assertFalse("primaryGroupToken" in res1[0])
760 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
762 self.assertTrue(len(res1) == 1)
763 self.assertFalse("primaryGroupToken" in res1[0])
765 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
766 scope=SCOPE_BASE, attrs=["primaryGroupToken", "objectSID"])
767 self.assertTrue(len(res1) == 1)
768 primary_group_token = int(res1[0]["primaryGroupToken"][0])
770 rid = security.dom_sid(ldb.schema_format_value("objectSID", res1[0]["objectSID"][0])).split()[1]
771 self.assertEquals(primary_group_token, rid)
774 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
775 m["primaryGroupToken"] = "100"
779 except LdbError, (num, _):
780 self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
782 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
783 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
785 def test_tokenGroups(self):
786 """Test the tokenGroups behaviour (hidden-generated-readonly attribute on SAM objects)"""
787 print "Testing tokenGroups behaviour\n"
789 # The domain object shouldn't contain any "tokenGroups" entry
790 res = ldb.search(self.base_dn, scope=SCOPE_BASE, attrs=["tokenGroups"])
791 self.assertTrue(len(res) == 1)
792 self.assertFalse("tokenGroups" in res[0])
794 # The domain administrator should contain "tokenGroups" entries
795 # (the exact number depends on the domain/forest function level and the
796 # DC software versions)
797 res = ldb.search("cn=Administrator,cn=Users," + self.base_dn,
798 scope=SCOPE_BASE, attrs=["tokenGroups"])
799 self.assertTrue(len(res) == 1)
800 self.assertTrue("tokenGroups" in res[0])
803 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
804 "objectclass": "user"})
806 # This testuser should contain at least two "tokenGroups" entries
807 # (exactly two on an unmodified "Domain Users" and "Users" group)
808 res = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
809 scope=SCOPE_BASE, attrs=["tokenGroups"])
810 self.assertTrue(len(res) == 1)
811 self.assertTrue(len(res[0]["tokenGroups"]) >= 2)
813 # one entry which we need to find should point to domains "Domain Users"
814 # group and another entry should point to the builtin "Users"group
815 domain_users_group_found = False
816 users_group_found = False
817 for sid in res[0]["tokenGroups"]:
818 rid = security.dom_sid(ldb.schema_format_value("objectSID", sid)).split()[1]
820 domain_users_group_found = True
822 users_group_found = True
824 self.assertTrue(domain_users_group_found)
825 self.assertTrue(users_group_found)
827 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
829 def test_groupType(self):
830 """Test the groupType behaviour"""
831 print "Testing groupType behaviour\n"
833 # You can never create or change to a
834 # "GTYPE_SECURITY_BUILTIN_LOCAL_GROUP"
841 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
842 "objectclass": "group",
845 except LdbError, (num, _):
846 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
847 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
851 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
852 "objectclass": "group",
853 "groupType": str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP)})
855 except LdbError, (num, _):
856 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
857 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
860 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
861 "objectclass": "group",
862 "groupType": str(GTYPE_SECURITY_GLOBAL_GROUP)})
864 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
865 scope=SCOPE_BASE, attrs=["sAMAccountType"])
866 self.assertTrue(len(res1) == 1)
867 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
868 ATYPE_SECURITY_GLOBAL_GROUP)
869 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
872 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
873 "objectclass": "group",
874 "groupType": str(GTYPE_SECURITY_UNIVERSAL_GROUP)})
876 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
877 scope=SCOPE_BASE, attrs=["sAMAccountType"])
878 self.assertTrue(len(res1) == 1)
879 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
880 ATYPE_SECURITY_UNIVERSAL_GROUP)
881 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
884 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
885 "objectclass": "group",
886 "groupType": str(GTYPE_SECURITY_DOMAIN_LOCAL_GROUP)})
888 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
889 scope=SCOPE_BASE, attrs=["sAMAccountType"])
890 self.assertTrue(len(res1) == 1)
891 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
892 ATYPE_SECURITY_LOCAL_GROUP)
893 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
896 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
897 "objectclass": "group",
898 "groupType": str(GTYPE_DISTRIBUTION_GLOBAL_GROUP)})
900 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
901 scope=SCOPE_BASE, attrs=["sAMAccountType"])
902 self.assertTrue(len(res1) == 1)
903 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
904 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
905 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
908 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
909 "objectclass": "group",
910 "groupType": str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP)})
912 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
913 scope=SCOPE_BASE, attrs=["sAMAccountType"])
914 self.assertTrue(len(res1) == 1)
915 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
916 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
917 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
920 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
921 "objectclass": "group",
922 "groupType": str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP)})
924 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
925 scope=SCOPE_BASE, attrs=["sAMAccountType"])
926 self.assertTrue(len(res1) == 1)
927 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
928 ATYPE_DISTRIBUTION_LOCAL_GROUP)
929 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
934 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
935 "objectclass": "group"})
937 # We can change in this direction: global <-> universal <-> local
938 # On each step also the group type itself (security/distribution) is
941 # After creation we should have a "security global group"
942 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
943 scope=SCOPE_BASE, attrs=["sAMAccountType"])
944 self.assertTrue(len(res1) == 1)
945 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
946 ATYPE_SECURITY_GLOBAL_GROUP)
951 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
952 m["groupType"] = MessageElement("0",
953 FLAG_MOD_REPLACE, "groupType")
956 except LdbError, (num, _):
957 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
961 # Default is "global group"
964 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
965 m["groupType"] = MessageElement(
966 str(GTYPE_SECURITY_GLOBAL_GROUP),
967 FLAG_MOD_REPLACE, "groupType")
970 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
971 scope=SCOPE_BASE, attrs=["sAMAccountType"])
972 self.assertTrue(len(res1) == 1)
973 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
974 ATYPE_SECURITY_GLOBAL_GROUP)
976 # Change to "local" (shouldn't work)
980 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
981 m["groupType"] = MessageElement(
982 str(GTYPE_SECURITY_DOMAIN_LOCAL_GROUP),
983 FLAG_MOD_REPLACE, "groupType")
986 except LdbError, (num, _):
987 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
989 # Change to "universal"
992 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
993 m["groupType"] = MessageElement(
994 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
995 FLAG_MOD_REPLACE, "groupType")
998 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
999 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1000 self.assertTrue(len(res1) == 1)
1001 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1002 ATYPE_SECURITY_UNIVERSAL_GROUP)
1004 # Change back to "global"
1007 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1008 m["groupType"] = MessageElement(
1009 str(GTYPE_SECURITY_GLOBAL_GROUP),
1010 FLAG_MOD_REPLACE, "groupType")
1013 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1014 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1015 self.assertTrue(len(res1) == 1)
1016 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1017 ATYPE_SECURITY_GLOBAL_GROUP)
1019 # Change back to "universal"
1022 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1023 m["groupType"] = MessageElement(
1024 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1025 FLAG_MOD_REPLACE, "groupType")
1028 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1029 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1030 self.assertTrue(len(res1) == 1)
1031 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1032 ATYPE_SECURITY_UNIVERSAL_GROUP)
1037 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1038 m["groupType"] = MessageElement(
1039 str(GTYPE_SECURITY_DOMAIN_LOCAL_GROUP),
1040 FLAG_MOD_REPLACE, "groupType")
1043 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1044 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1045 self.assertTrue(len(res1) == 1)
1046 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1047 ATYPE_SECURITY_LOCAL_GROUP)
1049 # Change to "global" (shouldn't work)
1053 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1054 m["groupType"] = MessageElement(
1055 str(GTYPE_SECURITY_GLOBAL_GROUP),
1056 FLAG_MOD_REPLACE, "groupType")
1059 except LdbError, (num, _):
1060 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1062 # Change to "builtin local" (shouldn't work)
1066 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1067 m["groupType"] = MessageElement(
1068 str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1069 FLAG_MOD_REPLACE, "groupType")
1072 except LdbError, (num, _):
1073 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1076 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1078 # Change back to "universal"
1081 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1082 m["groupType"] = MessageElement(
1083 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1084 FLAG_MOD_REPLACE, "groupType")
1087 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1088 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1089 self.assertTrue(len(res1) == 1)
1090 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1091 ATYPE_SECURITY_UNIVERSAL_GROUP)
1093 # Change to "builtin local" (shouldn't work)
1097 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1098 m["groupType"] = MessageElement(
1099 str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1100 FLAG_MOD_REPLACE, "groupType")
1103 except LdbError, (num, _):
1104 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1106 # Change back to "global"
1109 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1110 m["groupType"] = MessageElement(
1111 str(GTYPE_SECURITY_GLOBAL_GROUP),
1112 FLAG_MOD_REPLACE, "groupType")
1115 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1116 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1117 self.assertTrue(len(res1) == 1)
1118 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1119 ATYPE_SECURITY_GLOBAL_GROUP)
1121 # Change to "builtin local" (shouldn't work)
1125 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1126 m["groupType"] = MessageElement(
1127 str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1128 FLAG_MOD_REPLACE, "groupType")
1131 except LdbError, (num, _):
1132 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1134 # Distribution groups
1136 # Default is "global group"
1139 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1140 m["groupType"] = MessageElement(
1141 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1142 FLAG_MOD_REPLACE, "groupType")
1145 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1146 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1147 self.assertTrue(len(res1) == 1)
1148 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1149 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1151 # Change to local (shouldn't work)
1155 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1156 m["groupType"] = MessageElement(
1157 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1158 FLAG_MOD_REPLACE, "groupType")
1161 except LdbError, (num, _):
1162 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1164 # Change to "universal"
1167 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1168 m["groupType"] = MessageElement(
1169 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1170 FLAG_MOD_REPLACE, "groupType")
1173 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1174 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1175 self.assertTrue(len(res1) == 1)
1176 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1177 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1179 # Change back to "global"
1182 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1183 m["groupType"] = MessageElement(
1184 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1185 FLAG_MOD_REPLACE, "groupType")
1188 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1189 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1190 self.assertTrue(len(res1) == 1)
1191 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1192 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1194 # Change back to "universal"
1197 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1198 m["groupType"] = MessageElement(
1199 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1200 FLAG_MOD_REPLACE, "groupType")
1203 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1204 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1205 self.assertTrue(len(res1) == 1)
1206 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1207 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1212 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1213 m["groupType"] = MessageElement(
1214 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1215 FLAG_MOD_REPLACE, "groupType")
1218 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1219 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1220 self.assertTrue(len(res1) == 1)
1221 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1222 ATYPE_DISTRIBUTION_LOCAL_GROUP)
1224 # Change to "global" (shouldn't work)
1228 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1229 m["groupType"] = MessageElement(
1230 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1231 FLAG_MOD_REPLACE, "groupType")
1234 except LdbError, (num, _):
1235 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1237 # Change back to "universal"
1239 # Try to add invalid member to group 1 - should be denied
1241 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1242 m["member"] = MessageElement(
1243 "cn=ldaptestuser3,cn=users," + self.base_dn,
1244 FLAG_MOD_ADD, "member")
1248 except LdbError, (num, _):
1249 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
1251 # Make group 2 secondary
1253 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1254 m["groupType"] = MessageElement(
1255 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1256 FLAG_MOD_REPLACE, "groupType")
1259 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1260 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1261 self.assertTrue(len(res1) == 1)
1262 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1263 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1265 # Change back to "global"
1268 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1269 m["groupType"] = MessageElement(
1270 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1271 FLAG_MOD_REPLACE, "groupType")
1274 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1275 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1276 self.assertTrue(len(res1) == 1)
1277 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1278 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1280 # Both group types: this performs only random checks - all possibilities
1281 # would require too much code.
1283 # Default is "global group"
1286 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1287 m["groupType"] = MessageElement(
1288 str(GTYPE_SECURITY_GLOBAL_GROUP),
1289 FLAG_MOD_REPLACE, "groupType")
1292 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1293 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1294 self.assertTrue(len(res1) == 1)
1295 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1296 ATYPE_SECURITY_GLOBAL_GROUP)
1298 # Change to "local" (shouldn't work)
1302 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1303 m["groupType"] = MessageElement(
1304 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1305 FLAG_MOD_REPLACE, "groupType")
1308 except LdbError, (num, _):
1309 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1311 # Change to "universal"
1314 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1315 m["groupType"] = MessageElement(
1316 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1317 FLAG_MOD_REPLACE, "groupType")
1320 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1321 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1322 self.assertTrue(len(res1) == 1)
1323 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1324 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1326 # Change back to "global"
1329 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1330 m["groupType"] = MessageElement(
1331 str(GTYPE_SECURITY_GLOBAL_GROUP),
1332 FLAG_MOD_REPLACE, "groupType")
1335 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1336 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1337 self.assertTrue(len(res1) == 1)
1338 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1339 ATYPE_SECURITY_GLOBAL_GROUP)
1341 # Change back to "universal"
1344 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1345 m["groupType"] = MessageElement(
1346 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1347 FLAG_MOD_REPLACE, "groupType")
1350 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1351 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1352 self.assertTrue(len(res1) == 1)
1353 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1354 ATYPE_SECURITY_UNIVERSAL_GROUP)
1359 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1360 m["groupType"] = MessageElement(
1361 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1362 FLAG_MOD_REPLACE, "groupType")
1365 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1366 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1367 self.assertTrue(len(res1) == 1)
1368 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1369 ATYPE_DISTRIBUTION_LOCAL_GROUP)
1371 # Change to "global" (shouldn't work)
1375 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1376 m["groupType"] = MessageElement(
1377 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1378 FLAG_MOD_REPLACE, "groupType")
1381 except LdbError, (num, _):
1382 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1384 # Change back to "universal"
1387 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1388 m["groupType"] = MessageElement(
1389 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1390 FLAG_MOD_REPLACE, "groupType")
1393 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1394 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1395 self.assertTrue(len(res1) == 1)
1396 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1397 ATYPE_SECURITY_UNIVERSAL_GROUP)
1399 # Change back to "global"
1402 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1403 m["groupType"] = MessageElement(
1404 str(GTYPE_SECURITY_GLOBAL_GROUP),
1405 FLAG_MOD_REPLACE, "groupType")
1408 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1409 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1410 self.assertTrue(len(res1) == 1)
1411 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1412 ATYPE_SECURITY_GLOBAL_GROUP)
1414 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1416 def test_userAccountControl(self):
1417 """Test the userAccountControl behaviour"""
1418 print "Testing userAccountControl behaviour\n"
1420 # With a user object
1424 # As user you can only set a normal account.
1425 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1427 # With SYSTEM rights you can set a interdomain trust account.
1432 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1433 "objectclass": "user",
1434 "userAccountControl": "0"})
1436 except LdbError, (num, _):
1437 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1438 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1440 # This has to wait until s4 supports it (needs a password module change)
1443 # "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1444 # "objectclass": "user",
1445 # "userAccountControl": str(UF_NORMAL_ACCOUNT)})
1447 # except LdbError, (num, _):
1448 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1449 # delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1452 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1453 "objectclass": "user",
1454 "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)})
1456 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1457 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1458 self.assertTrue(len(res1) == 1)
1459 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1460 ATYPE_NORMAL_ACCOUNT)
1461 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1465 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1466 "objectclass": "user",
1467 "userAccountControl": str(UF_TEMP_DUPLICATE_ACCOUNT)})
1469 except LdbError, (num, _):
1470 self.assertEquals(num, ERR_OTHER)
1471 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1473 # This isn't supported yet in s4
1476 # "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1477 # "objectclass": "user",
1478 # "userAccountControl": str(UF_SERVER_TRUST_ACCOUNT)})
1480 # except LdbError, (num, _):
1481 # self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1482 # delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1486 # "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1487 # "objectclass": "user",
1488 # "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT)})
1489 # except LdbError, (num, _):
1490 # self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1491 # delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1493 # This isn't supported yet in s4 - needs ACL module adaption
1496 # "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1497 # "objectclass": "user",
1498 # "userAccountControl": str(UF_INTERDOMAIN_TRUST_ACCOUNT)})
1500 # except LdbError, (num, _):
1501 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1502 # delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1507 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1508 "objectclass": "user"})
1510 # After creation we should have a normal account
1511 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1512 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1513 self.assertTrue(len(res1) == 1)
1514 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1515 ATYPE_NORMAL_ACCOUNT)
1517 # As user you can only switch from a normal account to a workstation
1518 # trust account and back.
1519 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1521 # With SYSTEM rights you can switch to a interdomain trust account.
1526 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1527 m["userAccountControl"] = MessageElement("0",
1528 FLAG_MOD_REPLACE, "userAccountControl")
1530 except LdbError, (num, _):
1531 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1533 # This has to wait until s4 supports it (needs a password module change)
1536 # m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1537 # m["userAccountControl"] = MessageElement(
1538 # str(UF_NORMAL_ACCOUNT),
1539 # FLAG_MOD_REPLACE, "userAccountControl")
1541 # except LdbError, (num, _):
1542 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1545 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1546 m["userAccountControl"] = MessageElement(
1547 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1548 FLAG_MOD_REPLACE, "userAccountControl")
1551 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1552 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1553 self.assertTrue(len(res1) == 1)
1554 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1555 ATYPE_NORMAL_ACCOUNT)
1559 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1560 m["userAccountControl"] = MessageElement(
1561 str(UF_TEMP_DUPLICATE_ACCOUNT),
1562 FLAG_MOD_REPLACE, "userAccountControl")
1565 except LdbError, (num, _):
1566 self.assertEquals(num, ERR_OTHER)
1568 # This isn't supported yet in s4
1571 # m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1572 # m["userAccountControl"] = MessageElement(
1573 # str(UF_SERVER_TRUST_ACCOUNT),
1574 # FLAG_MOD_REPLACE, "userAccountControl")
1577 # except LdbError, (num, _):
1578 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1581 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1582 m["userAccountControl"] = MessageElement(
1583 str(UF_WORKSTATION_TRUST_ACCOUNT),
1584 FLAG_MOD_REPLACE, "userAccountControl")
1587 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1588 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1589 self.assertTrue(len(res1) == 1)
1590 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1591 ATYPE_WORKSTATION_TRUST)
1594 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1595 m["userAccountControl"] = MessageElement(
1596 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1597 FLAG_MOD_REPLACE, "userAccountControl")
1600 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1601 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1602 self.assertTrue(len(res1) == 1)
1603 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1604 ATYPE_NORMAL_ACCOUNT)
1606 # This isn't supported yet in s4 - needs ACL module adaption
1609 # m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1610 # m["userAccountControl"] = MessageElement(
1611 # str(UF_INTERDOMAIN_TRUST_ACCOUNT),
1612 # FLAG_MOD_REPLACE, "userAccountControl")
1615 # except LdbError, (num, _):
1616 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1618 # With a computer object
1622 # As computer you can set a normal account and a server trust account.
1623 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1625 # With SYSTEM rights you can set a interdomain trust account.
1630 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1631 "objectclass": "computer",
1632 "userAccountControl": "0"})
1634 except LdbError, (num, _):
1635 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1636 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1638 # This has to wait until s4 supports it (needs a password module change)
1641 # "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1642 # "objectclass": "computer",
1643 # "userAccountControl": str(UF_NORMAL_ACCOUNT)})
1645 # except LdbError, (num, _):
1646 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1647 # delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1650 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1651 "objectclass": "computer",
1652 "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)})
1654 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1655 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1656 self.assertTrue(len(res1) == 1)
1657 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1658 ATYPE_NORMAL_ACCOUNT)
1659 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1663 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1664 "objectclass": "computer",
1665 "userAccountControl": str(UF_TEMP_DUPLICATE_ACCOUNT)})
1667 except LdbError, (num, _):
1668 self.assertEquals(num, ERR_OTHER)
1669 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1672 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1673 "objectclass": "computer",
1674 "userAccountControl": str(UF_SERVER_TRUST_ACCOUNT)})
1676 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1677 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1678 self.assertTrue(len(res1) == 1)
1679 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1680 ATYPE_WORKSTATION_TRUST)
1681 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1685 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1686 "objectclass": "computer",
1687 "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT)})
1688 except LdbError, (num, _):
1689 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1690 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1692 # This isn't supported yet in s4 - needs ACL module adaption
1695 # "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1696 # "objectclass": "computer",
1697 # "userAccountControl": str(UF_INTERDOMAIN_TRUST_ACCOUNT)})
1699 # except LdbError, (num, _):
1700 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1701 # delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1706 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1707 "objectclass": "computer"})
1709 # After creation we should have a normal account
1710 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1711 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1712 self.assertTrue(len(res1) == 1)
1713 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1714 ATYPE_NORMAL_ACCOUNT)
1716 # As computer you can switch from a normal account to a workstation
1717 # or server trust account and back (also swapping between trust
1718 # accounts is allowed).
1719 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1721 # With SYSTEM rights you can switch to a interdomain trust account.
1726 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1727 m["userAccountControl"] = MessageElement("0",
1728 FLAG_MOD_REPLACE, "userAccountControl")
1730 except LdbError, (num, _):
1731 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1733 # This has to wait until s4 supports it (needs a password module change)
1736 # m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1737 # m["userAccountControl"] = MessageElement(
1738 # str(UF_NORMAL_ACCOUNT),
1739 # FLAG_MOD_REPLACE, "userAccountControl")
1741 # except LdbError, (num, _):
1742 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1745 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1746 m["userAccountControl"] = MessageElement(
1747 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1748 FLAG_MOD_REPLACE, "userAccountControl")
1751 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1752 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1753 self.assertTrue(len(res1) == 1)
1754 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1755 ATYPE_NORMAL_ACCOUNT)
1759 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1760 m["userAccountControl"] = MessageElement(
1761 str(UF_TEMP_DUPLICATE_ACCOUNT),
1762 FLAG_MOD_REPLACE, "userAccountControl")
1765 except LdbError, (num, _):
1766 self.assertEquals(num, ERR_OTHER)
1769 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1770 m["userAccountControl"] = MessageElement(
1771 str(UF_SERVER_TRUST_ACCOUNT),
1772 FLAG_MOD_REPLACE, "userAccountControl")
1775 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1776 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1777 self.assertTrue(len(res1) == 1)
1778 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1779 ATYPE_WORKSTATION_TRUST)
1782 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1783 m["userAccountControl"] = MessageElement(
1784 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1785 FLAG_MOD_REPLACE, "userAccountControl")
1788 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1789 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1790 self.assertTrue(len(res1) == 1)
1791 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1792 ATYPE_NORMAL_ACCOUNT)
1795 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1796 m["userAccountControl"] = MessageElement(
1797 str(UF_WORKSTATION_TRUST_ACCOUNT),
1798 FLAG_MOD_REPLACE, "userAccountControl")
1801 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1802 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1803 self.assertTrue(len(res1) == 1)
1804 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1805 ATYPE_WORKSTATION_TRUST)
1808 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1809 m["userAccountControl"] = MessageElement(
1810 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1811 FLAG_MOD_REPLACE, "userAccountControl")
1814 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1815 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1816 self.assertTrue(len(res1) == 1)
1817 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1818 ATYPE_NORMAL_ACCOUNT)
1821 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1822 m["userAccountControl"] = MessageElement(
1823 str(UF_SERVER_TRUST_ACCOUNT),
1824 FLAG_MOD_REPLACE, "userAccountControl")
1827 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1828 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1829 self.assertTrue(len(res1) == 1)
1830 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1831 ATYPE_WORKSTATION_TRUST)
1834 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1835 m["userAccountControl"] = MessageElement(
1836 str(UF_WORKSTATION_TRUST_ACCOUNT),
1837 FLAG_MOD_REPLACE, "userAccountControl")
1840 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1841 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1842 self.assertTrue(len(res1) == 1)
1843 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1844 ATYPE_WORKSTATION_TRUST)
1846 # This isn't supported yet in s4 - needs ACL module adaption
1849 # m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1850 # m["userAccountControl"] = MessageElement(
1851 # str(UF_INTERDOMAIN_TRUST_ACCOUNT),
1852 # FLAG_MOD_REPLACE, "userAccountControl")
1855 # except LdbError, (num, _):
1856 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1858 delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1859 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1861 def test_service_principal_name_updates(self):
1862 """Test the servicePrincipalNames update behaviour"""
1863 print "Testing servicePrincipalNames update behaviour\n"
1866 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1867 "objectclass": "computer",
1868 "dNSHostName": "testname.testdom"})
1870 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1871 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1872 self.assertTrue(len(res) == 1)
1873 self.assertFalse("servicePrincipalName" in res[0])
1875 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1878 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1879 "objectclass": "computer",
1880 "servicePrincipalName": "HOST/testname.testdom"})
1882 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1883 scope=SCOPE_BASE, attrs=["dNSHostName"])
1884 self.assertTrue(len(res) == 1)
1885 self.assertFalse("dNSHostName" in res[0])
1887 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1890 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1891 "objectclass": "computer",
1892 "dNSHostName": "testname2.testdom",
1893 "servicePrincipalName": "HOST/testname.testdom"})
1895 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1896 scope=SCOPE_BASE, attrs=["dNSHostName"])
1897 self.assertTrue(len(res) == 1)
1898 self.assertEquals(res[0]["dNSHostName"][0], "testname2.testdom")
1900 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1901 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1902 self.assertTrue(len(res) == 1)
1903 self.assertEquals(res[0]["servicePrincipalName"][0],
1904 "HOST/testname.testdom")
1907 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1908 m["dNSHostName"] = MessageElement("testname.testdoM",
1909 FLAG_MOD_REPLACE, "dNSHostName")
1912 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1913 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1914 self.assertTrue(len(res) == 1)
1915 self.assertEquals(res[0]["servicePrincipalName"][0],
1916 "HOST/testname.testdom")
1919 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1920 m["dNSHostName"] = MessageElement("testname2.testdom2",
1921 FLAG_MOD_REPLACE, "dNSHostName")
1924 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1925 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1926 self.assertTrue(len(res) == 1)
1927 self.assertEquals(res[0]["servicePrincipalName"][0],
1928 "HOST/testname2.testdom2")
1931 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1932 m["dNSHostName"] = MessageElement([],
1933 FLAG_MOD_DELETE, "dNSHostName")
1936 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1937 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1938 self.assertTrue(len(res) == 1)
1939 self.assertEquals(res[0]["servicePrincipalName"][0],
1940 "HOST/testname2.testdom2")
1943 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1944 m["dNSHostName"] = MessageElement("testname.testdom3",
1945 FLAG_MOD_REPLACE, "dNSHostName")
1948 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1949 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1950 self.assertTrue(len(res) == 1)
1951 self.assertEquals(res[0]["servicePrincipalName"][0],
1952 "HOST/testname2.testdom2")
1955 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1956 m["dNSHostName"] = MessageElement("testname2.testdom2",
1957 FLAG_MOD_REPLACE, "dNSHostName")
1961 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1962 m["dNSHostName"] = MessageElement("testname3.testdom3",
1963 FLAG_MOD_REPLACE, "dNSHostName")
1964 m["servicePrincipalName"] = MessageElement("HOST/testname2.testdom2",
1966 "servicePrincipalName")
1969 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1970 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1971 self.assertTrue(len(res) == 1)
1972 self.assertEquals(res[0]["servicePrincipalName"][0],
1973 "HOST/testname3.testdom3")
1976 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1977 m["servicePrincipalName"] = MessageElement("HOST/testname2.testdom2",
1979 "servicePrincipalName")
1980 m["dNSHostName"] = MessageElement("testname4.testdom4",
1981 FLAG_MOD_REPLACE, "dNSHostName")
1984 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1985 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1986 self.assertTrue(len(res) == 1)
1987 self.assertEquals(res[0]["servicePrincipalName"][0],
1988 "HOST/testname2.testdom2")
1991 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1992 m["servicePrincipalName"] = MessageElement([],
1994 "servicePrincipalName")
1998 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1999 m["dNSHostName"] = MessageElement("testname2.testdom2",
2000 FLAG_MOD_REPLACE, "dNSHostName")
2003 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2004 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2005 self.assertTrue(len(res) == 1)
2006 self.assertFalse("servicePrincipalName" in res[0])
2008 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2011 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
2012 "objectclass": "computer",
2013 "sAMAccountName": "testname$"})
2015 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2016 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2017 self.assertTrue(len(res) == 1)
2018 self.assertFalse("servicePrincipalName" in res[0])
2020 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2023 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
2024 "objectclass": "computer",
2025 "servicePrincipalName": "HOST/testname"})
2027 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2028 scope=SCOPE_BASE, attrs=["sAMAccountName"])
2029 self.assertTrue(len(res) == 1)
2030 self.assertTrue("sAMAccountName" in res[0])
2032 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2035 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
2036 "objectclass": "computer",
2037 "sAMAccountName": "testname$",
2038 "servicePrincipalName": "HOST/testname"})
2040 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2041 scope=SCOPE_BASE, attrs=["sAMAccountName"])
2042 self.assertTrue(len(res) == 1)
2043 self.assertEquals(res[0]["sAMAccountName"][0], "testname$")
2045 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2046 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2047 self.assertTrue(len(res) == 1)
2048 self.assertEquals(res[0]["servicePrincipalName"][0],
2052 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2053 m["sAMAccountName"] = MessageElement("testnamE$",
2054 FLAG_MOD_REPLACE, "sAMAccountName")
2057 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2058 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2059 self.assertTrue(len(res) == 1)
2060 self.assertEquals(res[0]["servicePrincipalName"][0],
2064 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2065 m["sAMAccountName"] = MessageElement("testname",
2066 FLAG_MOD_REPLACE, "sAMAccountName")
2069 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2070 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2071 self.assertTrue(len(res) == 1)
2072 self.assertEquals(res[0]["servicePrincipalName"][0],
2076 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2077 m["sAMAccountName"] = MessageElement("test$name$",
2078 FLAG_MOD_REPLACE, "sAMAccountName")
2081 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2082 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2083 self.assertTrue(len(res) == 1)
2084 self.assertEquals(res[0]["servicePrincipalName"][0],
2088 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2089 m["sAMAccountName"] = MessageElement("testname2",
2090 FLAG_MOD_REPLACE, "sAMAccountName")
2093 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2094 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2095 self.assertTrue(len(res) == 1)
2096 self.assertEquals(res[0]["servicePrincipalName"][0],
2100 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2101 m["sAMAccountName"] = MessageElement("testname3",
2102 FLAG_MOD_REPLACE, "sAMAccountName")
2103 m["servicePrincipalName"] = MessageElement("HOST/testname2",
2105 "servicePrincipalName")
2108 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2109 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2110 self.assertTrue(len(res) == 1)
2111 self.assertEquals(res[0]["servicePrincipalName"][0],
2115 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2116 m["servicePrincipalName"] = MessageElement("HOST/testname2",
2118 "servicePrincipalName")
2119 m["sAMAccountName"] = MessageElement("testname4",
2120 FLAG_MOD_REPLACE, "sAMAccountName")
2123 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2124 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2125 self.assertTrue(len(res) == 1)
2126 self.assertEquals(res[0]["servicePrincipalName"][0],
2130 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2131 m["servicePrincipalName"] = MessageElement([],
2133 "servicePrincipalName")
2137 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2138 m["sAMAccountName"] = MessageElement("testname2",
2139 FLAG_MOD_REPLACE, "sAMAccountName")
2142 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2143 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2144 self.assertTrue(len(res) == 1)
2145 self.assertFalse("servicePrincipalName" in res[0])
2147 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2150 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
2151 "objectclass": "computer",
2152 "dNSHostName": "testname.testdom",
2153 "sAMAccountName": "testname$",
2154 "servicePrincipalName": [ "HOST/testname.testdom", "HOST/testname" ]
2158 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2159 m["dNSHostName"] = MessageElement("testname2.testdom",
2160 FLAG_MOD_REPLACE, "dNSHostName")
2161 m["sAMAccountName"] = MessageElement("testname2$",
2162 FLAG_MOD_REPLACE, "sAMAccountName")
2165 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2166 scope=SCOPE_BASE, attrs=["dNSHostName", "sAMAccountName", "servicePrincipalName"])
2167 self.assertTrue(len(res) == 1)
2168 self.assertEquals(res[0]["dNSHostName"][0], "testname2.testdom")
2169 self.assertEquals(res[0]["sAMAccountName"][0], "testname2$")
2170 self.assertTrue(res[0]["servicePrincipalName"][0] == "HOST/testname2" or
2171 res[0]["servicePrincipalName"][1] == "HOST/testname2")
2172 self.assertTrue(res[0]["servicePrincipalName"][0] == "HOST/testname2.testdom" or
2173 res[0]["servicePrincipalName"][1] == "HOST/testname2.testdom")
2175 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2178 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
2179 "objectclass": "computer",
2180 "dNSHostName": "testname.testdom",
2181 "sAMAccountName": "testname$",
2182 "servicePrincipalName": [ "HOST/testname.testdom", "HOST/testname" ]
2186 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2187 m["sAMAccountName"] = MessageElement("testname2$",
2188 FLAG_MOD_REPLACE, "sAMAccountName")
2189 m["dNSHostName"] = MessageElement("testname2.testdom",
2190 FLAG_MOD_REPLACE, "dNSHostName")
2193 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2194 scope=SCOPE_BASE, attrs=["dNSHostName", "sAMAccountName", "servicePrincipalName"])
2195 self.assertTrue(len(res) == 1)
2196 self.assertEquals(res[0]["dNSHostName"][0], "testname2.testdom")
2197 self.assertEquals(res[0]["sAMAccountName"][0], "testname2$")
2198 self.assertTrue(res[0]["servicePrincipalName"][0] == "HOST/testname2" or
2199 res[0]["servicePrincipalName"][1] == "HOST/testname2")
2200 self.assertTrue(res[0]["servicePrincipalName"][0] == "HOST/testname2.testdom" or
2201 res[0]["servicePrincipalName"][1] == "HOST/testname2.testdom")
2203 delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2205 def test_sam_description_attribute(self):
2206 """Test SAM description attribute"""
2207 print "Test SAM description attribute"""
2210 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2211 "description": "desc2",
2212 "objectclass": "group",
2213 "description": "desc1"})
2215 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2216 scope=SCOPE_BASE, attrs=["description"])
2217 self.assertTrue(len(res) == 1)
2218 self.assertTrue("description" in res[0])
2219 self.assertTrue(len(res[0]["description"]) == 1)
2220 self.assertEquals(res[0]["description"][0], "desc1")
2222 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2225 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2226 "objectclass": "group",
2227 "description": ["desc1", "desc2"]})
2229 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2230 scope=SCOPE_BASE, attrs=["description"])
2231 self.assertTrue(len(res) == 1)
2232 self.assertTrue("description" in res[0])
2233 self.assertTrue(len(res[0]["description"]) == 2)
2234 self.assertTrue(res[0]["description"][0] == "desc1" or
2235 res[0]["description"][1] == "desc1")
2236 self.assertTrue(res[0]["description"][0] == "desc2" or
2237 res[0]["description"][1] == "desc2")
2240 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2241 m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE,
2246 except LdbError, (num, _):
2247 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2250 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2251 m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_DELETE,
2255 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2258 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2259 "objectclass": "group" })
2262 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2263 m["description"] = MessageElement("desc1", FLAG_MOD_REPLACE,
2267 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2268 scope=SCOPE_BASE, attrs=["description"])
2269 self.assertTrue(len(res) == 1)
2270 self.assertTrue("description" in res[0])
2271 self.assertTrue(len(res[0]["description"]) == 1)
2272 self.assertEquals(res[0]["description"][0], "desc1")
2274 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2277 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2278 "objectclass": "group",
2279 "description": ["desc1", "desc2"]})
2282 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2283 m["description"] = MessageElement("desc1", FLAG_MOD_REPLACE,
2287 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2288 scope=SCOPE_BASE, attrs=["description"])
2289 self.assertTrue(len(res) == 1)
2290 self.assertTrue("description" in res[0])
2291 self.assertTrue(len(res[0]["description"]) == 1)
2292 self.assertEquals(res[0]["description"][0], "desc1")
2295 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2296 m["description"] = MessageElement("desc3", FLAG_MOD_ADD,
2301 except LdbError, (num, _):
2302 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2305 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2306 m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_DELETE,
2311 except LdbError, (num, _):
2312 self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE)
2315 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2316 m["description"] = MessageElement("desc1", FLAG_MOD_DELETE,
2319 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2320 scope=SCOPE_BASE, attrs=["description"])
2321 self.assertTrue(len(res) == 1)
2322 self.assertFalse("description" in res[0])
2325 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2326 m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE,
2331 except LdbError, (num, _):
2332 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2335 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2336 m["description"] = MessageElement(["desc3", "desc4"], FLAG_MOD_ADD,
2341 except LdbError, (num, _):
2342 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2345 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2346 m["description"] = MessageElement("desc1", FLAG_MOD_ADD,
2350 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2351 scope=SCOPE_BASE, attrs=["description"])
2352 self.assertTrue(len(res) == 1)
2353 self.assertTrue("description" in res[0])
2354 self.assertTrue(len(res[0]["description"]) == 1)
2355 self.assertEquals(res[0]["description"][0], "desc1")
2357 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2360 if not "://" in host:
2361 if os.path.isfile(host):
2362 host = "tdb://%s" % host
2364 host = "ldap://%s" % host
2366 ldb = SamDB(host, credentials=creds, session_info=system_session(lp), lp=lp)
2368 runner = SubunitTestRunner()
2370 if not runner.run(unittest.makeSuite(SamTests)).wasSuccessful():
git.samba.org / obnox / samba / samba-obnox.git / blob